univention-ssh needs to be adjusted to changed openssh behavior for SSH_ASKPASS. With additional SSH_ASKPASS_REQUIRE=force, it works as of openssh-8.4-p1 (this version is already in Debian 11 Bullseye; it should therefore no longer work there either). Since then, the default has changed: use_askpass = 0, allow_askpass = 0 and you have to use either prefer or force if STDIN is not a TTY; which it is not, because rsync needs that for communication with ssh. This also means that the DISPLAY=:99 ... setsid hack can be omitted. diff --git base/univention-ssh/univention-ssh.in base/univention-ssh/univention-ssh.in index 942d8e5d0d..4766dd657b 100755 --- base/univention-ssh/univention-ssh.in +++ base/univention-ssh/univention-ssh.in @@ -206,12 +206,7 @@ try: os.environ[UNIVENTION_SSH_ASKPASS_ENV] = password # path to self os.environ['SSH_ASKPASS'] = UNIVENTION_SSH_ASKPASS_HELPER - # DISPLAY must be non-empty - if 'DISPLAY' not in os.environ: - os.environ['DISPLAY'] = ':99' - - # create new session to force ssh to call SSH_ASKPASS - os.setsid() + os.environ['SSH_ASKPASS_REQUIRE'] = 'force' os.execvp(command[0], command) # noqa: S606
QA: - changelog/changelog-basis-other.56593.rst OK - code review OK - tested `SSH_ASKPASS_REQUIRE=force` by testing univention-ssh. Also installed an app from the appcenter remotely from a master on a slave.
univention-ssh (12.0.3) c485ee4d3b86 | fix(univention-ssh): adjust to openssh change