Accept password from stdin

[E5ten]

A flag to accept password from stdin so it can be piped in would be very helpful for using doas in scripts (for example I am working on a bash doasedit a counterpart to sudoedit for doas), would you consider adding a flag like that?

[Duncaen]

No I wouldn't add features not present in the upstream version from OpenBSD.

[ghost]

I was facing the exact same problem on both doas packages available on Arch Linux (this and slicer69/doas#17), it turns out i found a pretty good workaround for this by using expect for automatically entering input on interactive prompts, i ended up with something like this:

#!/usr/bin/expect

spawn doas -- pacman --noconfirm -U yay-bin-10.2.3-1-x86_64.pkg.tar.zst
expect "Password: " {send -- "password\r"}
expect eof

Hope it helps someone :)

[jzbor]

Would it be possible to automatically accept input from stdin (instead of tty) when a non-interactive session is detected. Until today I did not even know that this makes a difference, but it does seem to lead to different behavior of doas on Linux compared to other platforms.

[Duncaen]

The passphrase is read from the tty directly so something like echo hello world | doas tee /tmp/foo will ask for the password, correctly authenticate the user and tee will get the "hello world" from stdin.

This behaves exactly the same on every platform opendoas runs on and in the original doas behaves in exactly the same way.

[jzbor]

Okay, thanks for the quick reply. Seems like I misread the discussion in slicer69/doas#17

[Duncaen]

Yes this repository and opendoas has nothing to do at all with slicer69/doas, which is completely broken in this regard.

This issue is a feature request for allowing to pass passwords to doas through stdin, which since I don't want to divert from the openbsd doas has been closed.

Not sure why this was linked in the slicer69/doas bug report, while this is a feature request for something different.

The expect snipped emulates a tty and passes a predefined password to doas, like it was requested in this issue.

[ghost]

@Duncaen i've linked this with the slicer69/doas bug report because both are very similar to each other, in the sense of sending input to doas non-interactively, the fact that one is a feature request and the other a bug report seems irrelevant, also, it might help people who are looking for a solution to this

[Duncaen]

But they are completely different things, this is a feature request to allow passing passwords to doas without the tty.

The bug report in slicer69/doas is that it doesn't actually read the password from the tty and instead shuffles around the stdin file descriptor and reads the password from it, breaking piping things through slicer69/doas to the executed command.

[ghost]

Makes sense, i might have confused myself, should have read the bug report over there more thoroughly, i've just skimmed over it superficially and thought it had some degree of correlation with the problem i was facing, sorry