diff options
author | Joey Hess <joey@kitenet.net> | 2014-05-14 15:02:18 -0400 |
---|---|---|
committer | Joey Hess <joey@kitenet.net> | 2014-05-14 15:38:32 -0400 |
commit | ffedbbee70d4f19dc89ca54d5fdc2277a5d5e867 (patch) | |
tree | 2f5c7b846a21ae9ebd160599e2043436d19ea81d /doc/design | |
parent | 2b89de6562469c7bee6ae8e78205012ef43396dc (diff) |
webapp: Better ssh password prompting.
When setting up a remote on a ssh server, prompt for a password inside the
webapp, rather than relying on ssh's own password prompting in the terminal
the webapp was started from, or ssh-askpass.
Avoids double prompting for the ssh password (and triple-prompting on
windows for rsync.net), since the entered password is cached for 10 minutes
and this cached password is reused when setting up the repository, after
the initial probe.
When the user has an existing ssh key set up, they can choose to use it,
rather than entering a password. The webapp used to probe for this case
automatically, so this is a little harder, but it's an advanced user thing.
Note that this commit is known to break enabling existing rsync
repositories. It hs not been tested with gcrypt repositories. It's not been
successfully tested yet on Windows.
This commit was sponsored by Ralph Mayer.
Diffstat (limited to 'doc/design')
-rw-r--r-- | doc/design/assistant/sshpassword.mdwn | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/doc/design/assistant/sshpassword.mdwn b/doc/design/assistant/sshpassword.mdwn index 0113144c5..8b0ac3fe3 100644 --- a/doc/design/assistant/sshpassword.mdwn +++ b/doc/design/assistant/sshpassword.mdwn @@ -14,10 +14,12 @@ can be pretty sure noone is sniffing the (localhost) connection. ## ssh-askpass approach * If ssh-askpass is in PATH, or `SSH_ASKPASS` is set, do nothing. - (Unless webapp is run remotely.) + (Unless webapp is run remotely.) + XXX not currently done; the UI would need to omit the password entry + fields in this case. * Otherwise, have the assistant set `SSH_ASKPASS` to a command that will cause the webapp to read the password and forward it on. Also, set - DISPLAY to ensure that ssh runs the program. + DISPLAY to ensure that ssh runs the program. **done** Looking at ssh.exe, I think this will even work on windows; it contains the code to run ssh-askpass. @@ -36,14 +38,18 @@ code to run ssh-askpass. ### ssh-askpass shim, and password forwarding `SSH_ASKPASS` needs to be set to a program (probably git-annex) -which gets the password from the webapp, and outputs it to stdout. +which gets the password from the webapp, and outputs it to stdout. **done** Seems to call for the webapp and program to communicate over a local socket (locked down so only user can access) or environment. Environment is not as secure (easily snooped by root). Local socket probably won't work on Windows. Could just use a temp file. +(Currently uses a temp file with locked down perms that it's careful +to clean up after use.) + Note that the webapp can probe to see if ssh needs a password, and can prompt the user for it before running ssh and the ssh-askpass shim. This avoids some complexity, and perhaps some attack vectors, if the shim cannot requst an arbitrary password prompt. +(This complexity not needed with the temp file approach..) |