1 files changed, 33 insertions, 13 deletions

diff --git a/readpass.c b/readpass.c
index 974d67f0b..122d2a87c 100644
--- a/readpass.c
+++ b/readpass.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readpass.c,v 1.61 2020/01/23 07:10:22 dtucker Exp $ */
+/* $OpenBSD: readpass.c,v 1.63 2020/08/11 09:45:54 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -123,11 +123,26 @@ char *
 read_passphrase(const char *prompt, int flags)
 {
         char cr = '\r', *askpass = NULL, *ret, buf[1024];
-        int rppflags, use_askpass = 0, ttyfd;
+        int rppflags, ttyfd, use_askpass = 0, allow_askpass = 0;
         const char *askpass_hint = NULL;
+        const char *s;
+
+        if ((s = getenv("DISPLAY")) != NULL)
+                allow_askpass = *s != '\0';
+        if ((s = getenv(SSH_ASKPASS_REQUIRE_ENV)) != NULL) {
+                if (strcasecmp(s, "force") == 0) {
+                        use_askpass = 1;
+                        allow_askpass = 1;
+                } else if (strcasecmp(s, "prefer") == 0)
+                        use_askpass = allow_askpass;
+                else if (strcasecmp(s, "never") == 0)
+                        allow_askpass = 0;
+        }
 
         rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
-        if (flags & RP_USE_ASKPASS)
+        if (use_askpass)
+                debug("%s: requested to askpass", __func__);
+        else if (flags & RP_USE_ASKPASS)
                 use_askpass = 1;
         else if (flags & RP_ALLOW_STDIN) {
                 if (!isatty(STDIN_FILENO)) {
@@ -153,10 +168,10 @@ read_passphrase(const char *prompt, int flags)
                 }
         }
 
-        if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL)
+        if ((flags & RP_USE_ASKPASS) && !allow_askpass)
                 return (flags & RP_ALLOW_EOF) ? NULL : xstrdup("");
 
-        if (use_askpass && getenv("DISPLAY")) {
+        if (use_askpass && allow_askpass) {
                 if (getenv(SSH_ASKPASS_ENV))
                         askpass = getenv(SSH_ASKPASS_ENV);
                 else
@@ -220,8 +235,8 @@ notify_start(int force_askpass, const char *fmt, ...)
         int devnull;
         pid_t pid;
         void (*osigchld)(int);
-        const char *askpass;
-        struct notifier_ctx *ret;
+        const char *askpass, *s;
+        struct notifier_ctx *ret = NULL;
 
         va_start(args, fmt);
         xvasprintf(&prompt, fmt, args);
@@ -233,15 +248,19 @@ notify_start(int force_askpass, const char *fmt, ...)
                 (void)write(STDERR_FILENO, "\r", 1);
                 (void)write(STDERR_FILENO, prompt, strlen(prompt));
                 (void)write(STDERR_FILENO, "\r\n", 2);
-                free(prompt);
-                return NULL;
+                goto out;
         }
         if ((askpass = getenv("SSH_ASKPASS")) == NULL)
                 askpass = _PATH_SSH_ASKPASS_DEFAULT;
-        if (getenv("DISPLAY") == NULL || *askpass == '\0') {
-                debug3("%s: cannot notify", __func__);
-                free(prompt);
-                return NULL;
+        if (*askpass == '\0') {
+                debug3("%s: cannot notify: no askpass", __func__);
+                goto out;
+        }
+        if (getenv("DISPLAY") == NULL &&
+            ((s = getenv(SSH_ASKPASS_REQUIRE_ENV)) == NULL ||
+            strcmp(s, "force") != 0)) {
+                debug3("%s: cannot notify: no display", __func__);
+                goto out;
         }
         osigchld = ssh_signal(SIGCHLD, SIG_DFL);
         if ((pid = fork()) == -1) {
@@ -269,6 +288,7 @@ notify_start(int force_askpass, const char *fmt, ...)
         }
         ret->pid = pid;
         ret->osigchld = osigchld;
+ out:
         free(prompt);
         return ret;
 }