request: SFTP with password prompt

[cocodrino]

Hi guys, I'm using a service which ask for the password and I can't handle the auth using public keys, could be possible than for future releases restic handle sftp with password?...maybe setting the values as a env var or passing as argument?...thanks!.

[fd0]

Thanks for your interest in restic. At the moment, restic uses the system-provided ssh command to log into servers. I'll have a look if it is possible to make it prompt for the password.

[fawick]

SSHPass might be helpful here to fake the keyboard-interactive mode that is neccessary for letting the ssh client fetch the password.

@fd0: But sInce you are vendoring golang.org/x/crypto/ssh anyway, why not use that package and call sftp.NewClient instead of ssh.NewClientPipe? I assume the reason is that OpenSSH is considered to be more mature than golang.org/x/crypto/ssh?

Anyway, here is what https://godoc.org/golang.org/x/crypto/ssh#example-Client-Listen lists as an example

config := &ssh.ClientConfig{
    User: "username",
    Auth: []ssh.AuthMethod{
        ssh.Password("password"),
    },
}
// Dial your ssh server.
conn, err := ssh.Dial("tcp", "localhost:22", config)
if err != nil {
    log.Fatalf("unable to connect: %s", err)
}
defer conn.Close()

Given that, your call to sftp.NewClientPipe in backend/sftp/sftp.go would look like this

client, err := sftp.NewClient(conn)

[fd0]

@fd0: But since you are vendoring golang.org/x/crypto/ssh anyway, why not use that package and call sftp.NewClient instead of ssh.NewClientPipe?

That's certainly possible, but not yet implemented.

I assume the reason is that OpenSSH is considered to be more mature than golang.org/x/crypto/ssh?

That's one point, but the more important thing is: When the sftp backend was implemented, I did not want to define how users configure all needed parameters for ssh: Port, user, password, key, algorithms, host key verification, etc. In my (personal) setting and the ones of several people I asked, everybody already had ssh configured to access the servers (without using a password), so I figured that it's way easier to just use the existing ssh config and call the ssh command.

I think an option to use the Go ssh implementation is a good idea (so it will work on e.g. Windows without having to install ssh), but this is blocked by having a better configuration framework for the backends (that's in the pipeline right now).

[fawick]

I agree that setting up all connection parameters in ~/.ssh/config is much nicer.

A intermediate workaround for @cocodrino might be to have a test in func startClient for the envvar SSH_PASSWORD around which then uses either crypto/ssh.Client, if the envvar is set, or falls back to the existing NewClientPipe/ssh command solution, if not.

[Mebus]

Hi!

+1 👍

I need password auth to access my hosters backup storage via sftp :-)

Mebus