Allow users to prefer ssh key over password auth

If `sshkey` config option is set, then osc prefers it over password auth. If `sshkey` config option is not set and the server supports both basic and signature auth, basic auth is used and ssh key is NOT auto-detected. Users who want to use ssh auth with ssh key auto-detection can now leave the `pass` config option empty to trigger ssh key auto-detection. The ssh-key autodetection picks the first key that matches: - key loaded to ssh-agent (`ssh-add -l`) that has a public key in ~/.ssh - ~/.ssh/{id_ed25519,id_rsa} It is also recommended to use Obfuscated or Plaintext credentials manager. Please be aware that storing passwords using these credentials managers is unsafe, because they're stored in plain text on disk. Example: [<apiurl>] user=<username> pass= # ssh key is auto-detected because `pass` is empty sshkey= credentials_mgr_class=osc.credentials.ObfuscatedConfigFileCredentialsManager
2025-01-24 22:06:14 +01:00 · 2022-07-08 15:16:17 +02:00 · 2022-07-08 15:16:17 +02:00 · a7e5e12c5a
commit a7e5e12c5a
parent 870d861b61
1 changed files with 14 additions and 2 deletions
--- a/osc/conf.py
+++ b/osc/conf.py
@ -540,14 +540,26 @@ def _build_opener(apiurl):
            for authreq in headers.get_all('www-authenticate', []):
                scheme = authreq.split()[0].lower()
                authreqs[scheme] = authreq
-            if 'signature' in authreqs and self.signatureauthhandler and \
-                    (self.signatureauthhandler.sshkey_known() or 'basic' not in authreqs):
+
+            if 'signature' in authreqs \
+                and self.signatureauthhandler \
+                and (
+                    # sshkey explicitly set in the config file, use it instead of doing basic auth
+                    self.signatureauthhandler.sshkey_known()
+                    or (
+                        # can't fall-back to basic auth, because server doesn't support it
+                        'basic' not in authreqs
+                        # can't fall-back to basic auth, because there's no password provided
+                        or not self.passwd.find_user_password(None, apiurl)[1]
+                    )):
                del headers['www-authenticate']
                headers['www-authenticate'] = authreqs['signature']
                return self.signatureauthhandler.http_error_401(req, fp, code, msg, headers)
+
            if 'basic' in authreqs:
                del headers['www-authenticate']
                headers['www-authenticate'] = authreqs['basic']
+
            response = super(self.__class__, self).http_error_401(req, fp, code, msg, headers)
            # workaround for http://bugs.python.org/issue9639
            if hasattr(self, 'retried'):