/* * Copyright (c) 2000-2002 Damien Miller. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */ /* * This is a simple GNOME SSH passphrase grabber. To use it, set the * environment variable SSH_ASKPASS to point to the location of * gnome-ssh-askpass before calling "ssh-add < /dev/null". * * There is only two run-time options: if you set the environment variable * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the * pointer will be grabbed too. These may have some benefit to security if * you don't trust your X server. We grab the keyboard always. */ #define GRAB_TRIES 16 #define GRAB_WAIT 250 /* milliseconds */ /* * Compile with: * * cc -Wall `pkg-config --cflags gtk+-2.0` \ * gnome-ssh-askpass2.c -o gnome-ssh-askpass \ * `pkg-config --libs gtk+-2.0` * */ #include <stdlib.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <X11/Xlib.h> #include <gtk/gtk.h> #include <gdk/gdkx.h> static void report_failed_grab (GtkWidget *parent_window, const char *what) { GtkWidget *err; err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0, GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE, "Could not grab %s. " "A malicious client may be eavesdropping " "on your session.", what); gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); gtk_dialog_run(GTK_DIALOG(err)); gtk_widget_destroy(err); } static void ok_dialog(GtkWidget *entry, gpointer dialog) { g_return_if_fail(GTK_IS_DIALOG(dialog)); gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); } static int passphrase_dialog(char *message) { const char *failed; char *passphrase, *local; int result, grab_tries, grab_server, grab_pointer; GtkWidget *parent_window, *dialog, *entry; GdkGrabStatus status; grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL); grab_tries = 0; /* Create an invisible parent window so that GtkDialog doesn't * complain. */ parent_window = gtk_window_new(GTK_WINDOW_TOPLEVEL); dialog = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0, GTK_MESSAGE_QUESTION, GTK_BUTTONS_OK_CANCEL, "%s", message); entry = gtk_entry_new(); gtk_box_pack_start( GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry, FALSE, FALSE, 0); gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); gtk_widget_grab_focus(entry); gtk_widget_show(entry); gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH"); gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); /* Make <enter> close dialog */ gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); g_signal_connect(G_OBJECT(entry), "activate", G_CALLBACK(ok_dialog), dialog); gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); /* Grab focus */ gtk_widget_show_now(dialog); if (grab_pointer) { for(;;) { status = gdk_pointer_grab( (gtk_widget_get_window(GTK_WIDGET(dialog))), TRUE, 0, NULL, NULL, GDK_CURRENT_TIME); if (status == GDK_GRAB_SUCCESS) break; usleep(GRAB_WAIT * 1000); if (++grab_tries > GRAB_TRIES) { failed = "mouse"; goto nograb; } } } for(;;) { status = gdk_keyboard_grab( gtk_widget_get_window(GTK_WIDGET(dialog)), FALSE, GDK_CURRENT_TIME); if (status == GDK_GRAB_SUCCESS) break; usleep(GRAB_WAIT * 1000); if (++grab_tries > GRAB_TRIES) { failed = "keyboard"; goto nograbkb; } } if (grab_server) { gdk_x11_grab_server(); } result = gtk_dialog_run(GTK_DIALOG(dialog)); /* Ungrab */ if (grab_server) XUngrabServer(gdk_x11_get_default_xdisplay()); if (grab_pointer) gdk_pointer_ungrab(GDK_CURRENT_TIME); gdk_keyboard_ungrab(GDK_CURRENT_TIME); gdk_flush(); /* Report passphrase if user selected OK */ passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry))); if (result == GTK_RESPONSE_OK) { local = g_locale_from_utf8(passphrase, strlen(passphrase), NULL, NULL, NULL); if (local != NULL) { puts(local); memset(local, '\0', strlen(local)); g_free(local); } else { puts(passphrase); } } /* Zero passphrase in memory */ memset(passphrase, '\b', strlen(passphrase)); gtk_entry_set_text(GTK_ENTRY(entry), passphrase); memset(passphrase, '\0', strlen(passphrase)); g_free(passphrase); gtk_widget_destroy(dialog); return (result == GTK_RESPONSE_OK ? 0 : -1); /* At least one grab failed - ungrab what we got, and report the failure to the user. Note that XGrabServer() cannot fail. */ nograbkb: gdk_pointer_ungrab(GDK_CURRENT_TIME); nograb: if (grab_server) XUngrabServer(gdk_x11_get_default_xdisplay()); gtk_widget_destroy(dialog); report_failed_grab(parent_window, failed); return (-1); } int main(int argc, char **argv) { char *message; int result; gtk_init(&argc, &argv); if (argc > 1) { message = g_strjoinv(" ", argv + 1); } else { message = g_strdup("Enter your OpenSSH passphrase:"); } setvbuf(stdout, 0, _IONBF, 0); result = passphrase_dialog(message); g_free(message); return (result); }