x/crypto/ssh/terminal: ReadPassword doesn't work on redirected stdin giving inappropriate ioctl for device

[ncw]

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.8 linux/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/ncw/go"
GORACE=""
GOROOT="/opt/go/go1.8"
GOTOOLDIR="/opt/go/go1.8/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build011975399=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you do?

Use ReadPassword with redirected stdin - it gives error "inappropriate ioctl for device"

Save this code as readpass.go

$ go build readpass.go
$ ./readpass 
2017/04/10 16:18:22 Read "hello"
$ echo "hello" | ./readpass
2017/04/10 16:18:34 inappropriate ioctl for device
$ 

What did you expect to see?

2017/04/10 16:18:22 Read "hello"

I would expect ReadPass to figure out that it is not reading from a terminal before issuing ioctls that are terminal specific.

What did you see instead?

2017/04/10 16:18:34 inappropriate ioctl for device

Originally reported in: rclone/rclone#1308

[jessfraz]

was this working before in a previous go release?

[ncw]

@jessfraz I don't think this has ever worked - I did a quick bit of testing with old go versions and old x/crypto versions and couldn't find a working version.

[jessfraz]

hmmm odd will play around

[sevagh]

Are there any updates on this issue?
I wrote something that uses terminal.ReadPassword to have a login prompt, and trying to script some unit tests:

yes $(PASSWORD) | my-program login

Gives me the same error: Password (hidden): ⨯ Error when typing password: inappropriate ioctl for device

[sevagh]

You can try some istty handling like:

	if (stat.Mode() & os.ModeCharDevice) == 0 {
		reader := bufio.NewReader(os.Stdin)
		pass, err = reader.ReadString('\n')
		if err != nil {
			log.Fatalf("Error when typing password: %s", err.Error())
		}
	} else {
                //old prompt code
		...

[pam4]

When I use standard input for a password, I always check if it is a terminal and handle the two cases separately, like this:

fd := int(os.Stdin.Fd())
if terminal.IsTerminal(fd) {
    pw, err = terminal.ReadPassword(fd)
} else {
    // handle non-terminal
}

ReadPassword reads a line of input from a terminal without local echo.

Even if it did work with non-terminal FDs, I wouldn't rely on undocumented behavior. This looks like a feature request.
If it is going to be implemented, it should be clearly documented and it should read non-terminal FDs one byte at a time to avoid consuming more input than necessary.

[maraino]

@ncw the only solution I know is to open the tty and read from it, something like:

func readPassword(prompt string) ([]byte, error) {
    fmt.Fprint(os.Stderr, prompt)
    var fd int
    if terminal.IsTerminal(syscall.Stdin) {
        fd = syscall.Stdin
    } else {
        tty, err := os.Open("/dev/tty")
        if err != nil {
            return nil, errors.Wrap(err, "error allocating terminal")
        }
        defer tty.Close()
        fd = int(tty.Fd())
    }

    pass, err := terminal.ReadPassword(fd)
    fmt.Fprintln(os.Stderr)
    return pass, err
}

[pam4]

I can think of two common needs:

1. read a password from the controlling terminal, regardless of standard input:

$ cat input-file | myprogram  # read password from terminal, not pipe
Password: _

2. read a password from the standard input, regardless if it is a terminal, but if it is a terminal, turn off echo and use a prompt:

$ cat input-file | myprogram  # read password from pipe
$

$ myprogram  # read password from terminal
Password: _

In case #1 @maraino solution is fine, except I wouldn't even bother to check stdin and just open /dev/tty right away.

In case #2 you need to check if stdin is a terminal; if true use terminal.ReadPassword, otherwise use normal reads (directly or via bufio, but the only way to ensure that exactly one line is consumed is to read one byte at a time).

@ncw from the original post I would understand you are trying to achieve #2, correct me if I'm wrong.
I think the error you get by using ReadPassword with a non-terminal FD is to be expected, but if you are proposing an enhancement, please make your proposal clear.

[ncw]

@pam4 - I guess I was expecting ReadPassword to act like 2) so read the password from the pipe and only turn off echo if it was a terminal.

If it worked like option 1) that would be fine too.

However just returning inappropriate ioctl for device is unexpected.

Perhaps a patch to the documentation and to the the error returned might be all that is needed:

@@ -93,11 +95,12 @@ func (r passwordReader) Read(buf []byte) (int, error) {
 
 // ReadPassword reads a line of input from a terminal without local echo.  This
 // is commonly used for inputting passwords and other sensitive data. The slice
-// returned does not include the \n.
+// returned does not include the \n. Note that ReadPassword will only work on
+// an fd where IsTerminal(fd) returns true.
 func ReadPassword(fd int) ([]byte, error) {
 	termios, err := unix.IoctlGetTermios(fd, ioctlReadTermios)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("input must be a terminal: %v", err)
 	}
 
 	newState := *termios

[maraino]

@pam4 @ncw: my example was for case #1. On a program that reads on STDIN and then decides if a password is required or not.

It's not a common case, and probably not a good practice to get the user password from STDIN. For example, you can't do that using ssh (echo "tr0ub4dor&3" | ssh foo.bar.zar).

If you need to automatize something a most common case would be to use environment variables, a named file from an argument or an external secrets management tool API.

[sevagh]

If you need to automatize something a most common case would be to use environment variables, a named file from an argument or an external secrets management tool API.

You can still use all of these with the command line, without needing to make your Go code support them. E.g.:

$ yes $(vault read secret/mysecret) | my-tool
$ echo ${PASSWORD}" | my-tool