-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use SSH askpass instead of sshpass for password logins #14034
Conversation
Wouldn't making it a config option in lib/ansible/constants.py work the same and be a much smaller change? Also make it conditional instead of substituting the existing working sshpass for those that do not want the envvar. |
Sounds good! It's easy to support the sshpass too. But which one should be default? The old one or this, which has no external dependencies (only the openssh). Or should it first try with askpass and then fallback to sshpass. |
default to current and have a toggle, if this is a good substitute we can eventually revers the default |
There seems to be problem with askpass and sftp which is not problem if using pipelining. The subprocess commands were updated to call os.setsid before execution.
I added the option, which is not enabled by default, to constants.py. It seems, that this doesn't work when using sftp but only with scp. However, if there's controlsocket, it should work. |
For ask become pass exists a config option? |
@saltsa This PR was tested by travis-ci.org, which is no longer used. Please rebase your branch to trigger running of current tests. |
@saltsa This PR was tested by travis-ci.org, which is no longer used. Please rebase your branch to trigger running of current tests. |
@saltsa Greetings! Thanks for taking the time to open this pullrequest. In order for the community to handle your pullrequest effectively, we need a bit more information. Here are the items we could not find in your description:
Please set the description of this pullrequest with this template: |
Thank you very much for your submission. We have discussed this and decided against accepting this feature. Our recommendation is to use the paramiko connection plugin, or switch to using key based authentication. If you have further questions please stop by IRC or the mailing list:
|
Description
This PR makes OpenSSH to use askpass directly without the need of external sshpass program.
This sets the password to the environment variable called ANSIBLE_SSH_PASS and sets the SSH_ASKPASS enviroment to "/usr/bin/ansible-pwecho". Itse also sets the DISPLAY enviroment variable to empty string, if it's not set. When the ssh needs password, it'll execute the askpass program which simply outputs the password from the enviroment variable.
Security considerations
The password can be read from the environment variable of the ansible-pwecho program. However, at least in Linux the permissions are limited to the current user.
On the other hand, the pwecho program is very simple.
TODO