Force ssh to always use SSH_ASKPASS

Question

I want to force ssh to always use the program specified by SSH_ASKPASS. In my case the program is just a bash script returning the passphrase.

The problem is, as the ssh documentation says:

If ssh needs a passphrase, it will read the passphrase from the current terminal if it was run from a terminal.

So if I run ssh from a terminal, SSH_ASKPASS is ignored.

There is a similar question: Tell SSH to use a graphical prompt for key passphrase

which proposes create an alias for ssh, like this

$ alias ssh="setsid ssh"

but doesn't work for me, because I don't call ssh directly, is called from git or rsync.

I also found an open issue in the OpenSSH Bugzilla asking for a fix, but was opened in 2002, so I don't believe is going to be implemented.

I'm thinking on probably weird solutions:

Make a fake ssh agent, which calls the script and returns the passphrase.
Create a process looking for new ssh processes and detach them from the terminal before ssh asks for the password.

Any better sugestion?

If I read that open issue correctly, you can set DISPLAY to some value and then SSH_ASKPASS will be used. — npostavs, Aug 12 '14 at 00:19
When working in a graphical environment DISPLAY is already set. The question is about forcing SSH to use a GUI passphrase window. I personally would also like to use a (fullscreen) GUI way to provide passphrase but the most of all I would like to provide it once, i.e. I would like to talk to the SSH agent, not to the SSH client. — Pavel Šimerda, Jan 31 '15 at 16:55

kenorb · Answer 1 · 2015-10-15T22:12:05.827

5

A per ssh manual:

If ssh does not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS.

Therefore you need to disassociate the terminal (e.g. by adding a pipe) and make sure DISPLAY isn't set (if you want to use terminal for your passphrase instead).

Simple example:

echo foo | SSH_ASKPASS=/my/cmd DISPLAY= ssh ...

The same with ssh-add:

$ echo foo | SSH_ASKPASS=/my/cmd DISPLAY= ssh-add id_rsa
ssh_askpass: exec(/my/cmd): No such file or directory

edited Oct 15 '15 at 22:12

answered Oct 13 '15 at 00:19

kenorb

20,988

I couldn't make it work with echo; however setting DISPLAY to whatever and using setsid did the trick. See my post – Alberto Feb 12 '16 at 09:18

score 1 · Answer 2 · edited Apr 13 '17 at 12:36

Unfortunately, I cannot access the open issue that you have linked, but I have tried @npostavs' suggestion (set DISPLAY to some value) and it seems to work¹.

For example:

# List heads in a remote git repo
DISPLAY=: setsid git ls-remote -h git@github.tik.uni-stuttgart.de:NFL/tests.git

Where

$ cat ${SSH_ASKPASS}
#!/bin/bash
echo ABCSuperPassword

In this example, SSH_AGENT is invoked by git (set GIT_TRACE=2 for verboser output) effectively providing "ABCSuperPassword" as password for the private key.

Notes

¹ DISPLAY is often unset if login into remote terminals.

Force ssh to always use SSH_ASKPASS

2 Answers2

Notes