man ssh says:
SSH_ASKPASS If ssh needs a passphrase, it will read the passphrase from the current terminal if it was run from a terminal. If ssh does not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS and open an X11 window to read the passphrase.
I’d like SSH to use an askpass program even if it was run from a terminal.
On occasion, I have to connect to servers, where there’s some delay in showing a password prompt (maybe due to network issues, maybe due to attempted reverse DNS lookups, …). I get annoyed and switch to something else, and forget about the attempted connection. (Insert joke about attention span of a goldfish.) When I finally get back to it, the prompt’s timed out and even a correct password would just result in a closed connection.
Keys would be one solution, but not every system I use has my usual SSH keys. However, I usually use Ubuntu systems, and Ubuntu has an SSH askpass program installed by default.
If an askpass window popped up, however, I’d be immediately aware of it. That’s a good enough compromise for me, if only I can get it to work.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
This will be a bit more complicated, but combination of several pieces will make it working:
Explanation
-
To force
sshto use$SSH_ASKPASSprogram, you can’t allowsshto see the realtty. It is just condition. This can be done by usingsetsidand using-nswitch tossh.This case would initiate connection, but you would not be able to interact with the shell, which is probably also your requirement 😉 (and also breaks your local TTY).
But you can give up the “first session”. You should also add
-Nswitch, which will suppress the remote command and will do just the authentication.Also the possible output “junk” can be redirected to
&> /dev/nullif you are not interested in it. -
Set up
ControlMasterinssh_config. It is cool feature and once the connection is established, you can “fire up” sessions pretty fast. This snippet in~/.ssh/configshould do that:ControlPath ~/.ssh/controlmasters/%<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="314371">[email protected]</a>%h:%p ControlMaster auto ControlPersist 5m
You can add that into some
hostblock listing your “slow candidates”, or just everywhere. It is almost no overhead.
Final line
Then you should be able to connect in this way to the host you expect it will take a while:
setsid ssh -nN host # wait, insert password in the X11 prompt ssh host # will bring you directly to your session
Whole process might be simplified by alias or bash function doing both in one step, but it is left on readers imagination.
Only command-line arguments
You can join both things together on command-line without ssh_config part:
setsid ssh -nNMS ~/.ssh/masters/%C host # wait, insert password in the X11 prompt ssh -S ~/.ssh/masters/%C host # will bring you directly to your session
The following function should work when SSH options aren’t specified:
ssh() {
if ! command ssh -o PasswordAuthentication=no "$1" true
then
setsid -w ssh -fnN "$1"
fi
command ssh "[email protected]"
}
-finstructs SSH to go to the background just before program execution, which is after it has got the password.-wtellssetsidto wait for the program to end. In this case, that happens when SSH goes to the background. Combined withssh -f, the manual wait between the two SSH commands can be eliminated.- The function assumes the first argument is the hostname.
- The test is just to prevent unnecessary SSH connections.
Method 2
With OpenSSH 8.4 you can set $SSH_ASKPASS_REQUIRE environment variable to force. Quoting ssh(1) man page:
SSH_ASKPASS_REQUIRE Allows further control over the use of
an askpass program. If this variable
is set to "never" then ssh will never
attempt to use one. If it is set to
"prefer", then ssh will prefer to use
the askpass program instead of the TTY
when requesting passwords. Finally, if
the variable is set to "force", then
the askpass program will be used for
all passphrase input regardless of
whether DISPLAY is set.
As OpenSSH 8.4 was released September 27, 2020 you will need to wait a bit to have this feature available in any major Linux distribution.
Method 3
A per SSH manual (man ssh):
If
sshdoes not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS.
Therefore you need to disassociate the terminal (e.g. by adding a pipe) and make sure DISPLAY isn’t set (if you want to use terminal for your passphrase instead).
Simple example:
echo foo | SSH_ASKPASS=/my/cmd DISPLAY= ssh ...
The same with ssh-add:
$ echo foo | SSH_ASKPASS=/my/cmd DISPLAY= ssh-add id_rsa ssh_askpass: exec(/my/cmd): No such file or directory
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0