1
0
mirror of https://github.com/golang/go synced 2024-11-22 21:10:03 -07:00

cmd/go: suppress SSH password prompts when fetching modules or repos

We were already setting GIT_SSH_COMMAND (if unset) to explicitly
include 'ControlMaster=no' in order to disable connection pooling.
Now we also set 'BatchMode=yes' to suppress password prompts for
password-protected keys.

While we're here, we also set GCM_INTERACTIVE=never to suppress
similar prompts from the Git Credential Manager for Windows.

Fixes #44904

Change-Id: Iebb050079ff7dd54d5b944c459ae212e9e6f2579
Reviewed-on: https://go-review.googlesource.com/c/go/+/300157
Trust: Bryan C. Mills <bcmills@google.com>
Run-TryBot: Bryan C. Mills <bcmills@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jay Conrod <jayconrod@google.com>
This commit is contained in:
Bryan C. Mills 2021-03-09 23:27:48 -05:00
parent 5e4f9b077f
commit 86e42c2fbf
3 changed files with 29 additions and 4 deletions

View File

@ -138,6 +138,17 @@ Do not send CLs removing the interior tags from such phrases.
module root when invoked within the <code>vendor</code> tree.
</p>
<h4 id="password-prompts">Password prompts</h4>
<p><!-- golang.org/issue/44904 -->
The <code>go</code> command by default now suppresses SSH password prompts and
Git Credential Manager prompts when fetching Git repositories using SSH, as it
already did previously for other Git password prompts. Users authenticating to
private Git repos with password-protected SSH may configure
an <code>ssh-agent</code> to enable the <code>go</code> command to use
password-protected SSH keys.
</p>
<h2 id="runtime">Runtime</h2>
<p>

View File

@ -126,7 +126,7 @@ func runGet(ctx context.Context, cmd *base.Command, args []string) {
base.Fatalf("go get: -insecure flag is no longer supported; use GOINSECURE instead")
}
// Disable any prompting for passwords by Git.
// Disable any prompting for passwords by Git itself.
// Only has an effect for 2.3.0 or later, but avoiding
// the prompt in earlier versions is just too hard.
// If user has explicitly set GIT_TERMINAL_PROMPT=1, keep
@ -136,7 +136,10 @@ func runGet(ctx context.Context, cmd *base.Command, args []string) {
os.Setenv("GIT_TERMINAL_PROMPT", "0")
}
// Disable any ssh connection pooling by Git.
// Also disable prompting for passwords by the 'ssh' subprocess spawned by
// Git, because apparently GIT_TERMINAL_PROMPT isn't sufficient to do that.
// Adding '-o BatchMode=yes' should do the trick.
//
// If a Git subprocess forks a child into the background to cache a new connection,
// that child keeps stdout/stderr open. After the Git subprocess exits,
// os /exec expects to be able to read from the stdout/stderr pipe
@ -150,7 +153,14 @@ func runGet(ctx context.Context, cmd *base.Command, args []string) {
// assume they know what they are doing and don't step on it.
// But default to turning off ControlMaster.
if os.Getenv("GIT_SSH") == "" && os.Getenv("GIT_SSH_COMMAND") == "" {
os.Setenv("GIT_SSH_COMMAND", "ssh -o ControlMaster=no")
os.Setenv("GIT_SSH_COMMAND", "ssh -o ControlMaster=no -o BatchMode=yes")
}
// And one more source of Git prompts: the Git Credential Manager Core for Windows.
//
// See https://github.com/microsoft/Git-Credential-Manager-Core/blob/master/docs/environment.md#gcm_interactive.
if os.Getenv("GCM_INTERACTIVE") == "" {
os.Setenv("GCM_INTERACTIVE", "never")
}
// Phase 1. Download/update.

View File

@ -163,7 +163,11 @@ func Init() {
// assume they know what they are doing and don't step on it.
// But default to turning off ControlMaster.
if os.Getenv("GIT_SSH") == "" && os.Getenv("GIT_SSH_COMMAND") == "" {
os.Setenv("GIT_SSH_COMMAND", "ssh -o ControlMaster=no")
os.Setenv("GIT_SSH_COMMAND", "ssh -o ControlMaster=no -o BatchMode=yes")
}
if os.Getenv("GCM_INTERACTIVE") == "" {
os.Setenv("GCM_INTERACTIVE", "never")
}
if modRoot != "" {