ssh: let password override keys?
John Arbash Meinel
john at arbash-meinel.com
Wed Oct 4 05:56:33 BST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robey Pointer wrote:
> I found this message while trying to clear out my mailbox. (Sorry it
> got lost for so long.) I think he's suggesting that if a password is
> given in the sftp:// url, it should be tried before local .ssh/ private
> keys are tried.
>
> Sounds reasonable to me. Does anyone have an objection? If not, I'll
> submit a patch.
>
> robey
>
>
We are unable to pass passwords to an ssh subprocess. So if there is a
'ssh' program available, we don't support the password portion of
sftp://user:password@host/'.
passing in a ":password" is generally not recommended, since it starts
showing up in the .*history files and in the output of 'ps', etc.
So, in general, I think we want to get away from having people use
passwords in their urls. That said, it is reasonable that if the
password does exist, then it should be used before the agent is asked.
John
=:->
> Begin forwarded message:
>
>> From: Mattias Eriksson <mattias.eriksson at ardendo.se>
>> Date: 29 June 2006 8:19:39 PDT
>> To: robey at lag.net
>> Subject: bzr paramiko
>>
>> Hi,
>>
>> I was playing around using ssh and bzr and have a need to be albe to
>> pass the password to bzr. I found out that paramiko had support for this
>> in the url, which suited me fine.
>> The only problem I have now is that when I have a ssh key, but that is
>> not valid for a specific host. Then I still have to enter that password
>> for the ssh key, the publik key auth fail and the real password is
>> used.
>> I suggest that if a password is present in the url, use that and try not
>> to use publik key auth.
>>
>> Then the use of publik key for authentication must be detectable since
>> ordinary ssh only asks when the host is valid for publik key auth. It
>> would be nice if it only asked for password for the pub key if I can
>> authenticate with it.
>>
>> //Snaggen
>>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFIz8AJdeBCYSNAAMRAqB8AJ938AiifpUFTZyC5ZNsYVp2VMOvzgCfXCGL
jJUhMK9LesrxJxd6U01U3qg=
=3Blb
-----END PGP SIGNATURE-----
More information about the bazaar
mailing list