Ask user for password?

I posted WinSCP askpass tips please and found a workaround for me.

But maybe it's possible to implement something better?

Background: On my targetserver I can only log in with my personal account. There I am only allowed to do a sudo su - TARGETUSER. This is then prompting me for the password.

The workaround I'm using is a script which is called by sudo as SUDO_ASKPASS. That script is connecting to a fifo where, on the other end, I have an open terminal session where I enter my password. This seems to work quite good, besides the small security risk that someone could read from my fifo while I'm thinking I'm communicating with my WinSCP-invoked script.

What I'm thinking about is: Would it be possible to have a script on my targetserver which can communicate back with WinSCP, sending WinSCP the request to ask the user for a password? It would then get the password from WinSCP and would give it back to sudo via stdout.

Hi!

I mailed Martin and he suggested that I describe the problem (a bit better?) in the forum to "see if others find it interesting."

I hope you will...

So please find the problem description here:

My problem is the following:

1. I'm only allowed to log in to our production systems with a personalized user
   
2. To do something as the functional user of our applications, I can only use sudo su - functionaluser
   

So the official way, when I have to copy files back and forth is to copy them into a temp location first.

Of course this is quite annoying and people tend to forget to delete files from there.

Usually I would copy my public key to the functional user's .ssh/authorized_keys, but that's not wanted.

So my only solution was to use an "askpass" script, but since I do not want to have my password in clear text in a script, I came up with the workaround shown in the forum (linked in the first thread). The idea is that I have a terminal session on my production host where I open a fifo where I send my password in. The WinSCP connection is starting a sudo which calls a script reading from the fifo and thus getting my password.

The ideal solution would be if a script could "tell" WinSCP that it wants a password and the WinSCP then prompts the user for it.

I imagine something like a new setting in WinSCP telling it: "When, in a new connection a certain string appears, ask the user for a password and send this password to the connection".

Do you think that's possible. That way a user in a similar situation as I am can simply create a script like this:
Best regards and thanks for WinSCP!

No comment at all?

I kinda like this idea. I think there should be 3 modes of this feature...

• Direct/built-in su/sudo support (without any extra script {or other "hacking" to make it work}, that is)
  
• Support for any "custom" password prompt (or any custom prompt at all? {password or otherwise})
  
• While WinSCP is connecting, if the connection "freezes" for any reason (something is reading stdin), WinSCP could show the recent startup lines (the console output) & ask the user to answer any question the server is asking.

Direct/built-in support for su & sudo should be added: that is a major use-case...ALL "root" users should login as "someuser" & then su or sudo to root.

Anytime after login/connection, WinSCP could have a "Switch Remote User" option, which would invoke either su or sudo to perform the change...but of course, there should also be a login/connection option "Immediately Switch Remote User after login"... like have two username fields on the Login/Connection Info box.

Beyond that, support for a "custom" password prompt would be good too, just in case someone needs a custom script beyond the built-in su/sudo detection above.

I think this should be a WinSCP feature, mostly cuz doing this manually is convoluted: if I had this need, I would NEVER have come up with the script this guy wrote for it (I'm still not even sure I understand the explanation of the script)... I think it's just easier to make WinSCP support it, than to "invent" ways around WinSCP not supporting it. At the very least the su/sudo support should be added, since that is a common security practice of "never login directly as root".

Skeeve wrote:

No comment at all?

...sorry, but no one comes here, unless they have a problem or they "wanna check on WinSCP again".

That sounds even better.

I hope the feature will be picked up.

Skeeve wrote:

I posted WinSCP askpass tips please and found a workaround for me.

Background: On my targetserver I can only log in with my personal account. There I am only allowed to do a sudo su - TARGETUSER. This is then prompting me for the password.

Cannot your admin allow you to sudo this command without requiring a password?

@brablc: Sure he can, but he won't.

This request has been added to the tracker:
Issue 1247 – Allow providing a password to sudo

Thanks a lot!

Any news for this?

Not yet. It's not really high-priority, sorry.