diff options
author | 2014-04-29 18:08:10 -0400 | |
---|---|---|
committer | 2014-04-29 18:08:10 -0400 | |
commit | c963d19b6b3150de90783741514143c5145a28a9 (patch) | |
tree | 4a4c4d56356353af9c3c8d0a7e946e4c8df04f84 | |
parent | e7bb1e85fbfa7b691ed4248cc0359a87cb2fb71e (diff) |
support being run by ssh as ssh-askpass replacement
To use, set GIT_ANNEX_SSHASKPASS to point to a fifo or regular file
(FIFO is better, avoids touching disk or multiple readers) that contains
the password. Then set SSH_ASKPASS=git-annex, and when ssh runs it, it will
tell ssh the password.
This is not yet used..
-rw-r--r-- | Annex/Ssh.hs | 15 | ||||
-rw-r--r-- | CmdLine/GitAnnex.hs | 10 | ||||
-rw-r--r-- | doc/design/assistant/sshpassword.mdwn | 2 |
3 files changed, 22 insertions, 5 deletions
diff --git a/Annex/Ssh.hs b/Annex/Ssh.hs index 159480121..21bb83e28 100644 --- a/Annex/Ssh.hs +++ b/Annex/Ssh.hs @@ -16,6 +16,8 @@ module Annex.Ssh ( sshCachingTo, inRepoWithSshCachingTo, runSshCaching, + sshAskPassEnv, + runSshAskPass ) where import qualified Data.Map as M @@ -230,7 +232,7 @@ sshReadPort params = (port, reverse args) {- When this env var is set, git-annex runs ssh with parameters - to use the socket file that the env var contains. - - - This is a workaround for GiT_SSH not being able to contain + - This is a workaround for GIT_SSH not being able to contain - additional parameters to pass to ssh. -} sshCachingEnv :: String sshCachingEnv = "GIT_ANNEX_SSHCACHING" @@ -268,8 +270,17 @@ sshCachingTo remote g where uncached = return g -runSshCaching :: [String] -> String -> IO () +runSshCaching :: [String] -> FilePath -> IO () runSshCaching args sockfile = do let args' = toCommand (sshConnectionCachingParams sockfile) ++ args let p = proc "ssh" args' exitWith =<< waitForProcess . processHandle =<< createProcess p + +{- When this env var is set, git-annex is being used as a ssh-askpass + - program, and should read the password from the specified location, + - and output it for ssh to read. -} +sshAskPassEnv :: String +sshAskPassEnv = "GIT_ANNEX_SSHASKPASS" + +runSshAskPass :: FilePath -> IO () +runSshAskPass passfile = putStrLn =<< readFile passfile diff --git a/CmdLine/GitAnnex.hs b/CmdLine/GitAnnex.hs index c37e44a2d..e4dd29b67 100644 --- a/CmdLine/GitAnnex.hs +++ b/CmdLine/GitAnnex.hs @@ -199,5 +199,11 @@ run args = do #ifdef WITH_EKG _ <- forkServer "localhost" 4242 #endif - maybe (dispatch True args cmds gitAnnexOptions [] header Git.CurrentRepo.get) - (runSshCaching args) =<< getEnv sshCachingEnv + go envmodes + where + go [] = dispatch True args cmds gitAnnexOptions [] header Git.CurrentRepo.get + go ((v, a):rest) = maybe (go rest) a =<< getEnv v + envmodes = + [ (sshCachingEnv, runSshCaching args) + , (sshAskPassEnv, runSshAskPass) + ] diff --git a/doc/design/assistant/sshpassword.mdwn b/doc/design/assistant/sshpassword.mdwn index c44259865..0113144c5 100644 --- a/doc/design/assistant/sshpassword.mdwn +++ b/doc/design/assistant/sshpassword.mdwn @@ -41,7 +41,7 @@ which gets the password from the webapp, and outputs it to stdout. Seems to call for the webapp and program to communicate over a local socket (locked down so only user can access) or environment. Environment is not as secure (easily snooped by root). -Local socket probably won't work on Windows. +Local socket probably won't work on Windows. Could just use a temp file. Note that the webapp can probe to see if ssh needs a password, and can prompt the user for it before running ssh and the ssh-askpass shim. |