Insecure sshpass behavior

[iridian-ks]

Please note that we will close your issue without comment if you delete, do not read or do not fill out the issue checklist below and provide ALL the requested information. If you repeatedly fail to use the issue template, we will block you from ever submitting issues to Homebrew again.

• are reporting a bug others will be able to reproduce and not asking a question. If you're not sure or want to ask a question do so on our Discourse: https://discourse.brew.sh
• ran a brew command and reproduced the problem with multiple formulae? If it's a problem with a single, official formula (not cask) please file this issue at Homebrew/homebrew-core: https://github.com/Homebrew/homebrew-core/issues/new/choose. If it's a brew cask problem please file this issue at https://github.com/Homebrew/homebrew-cask/issues/new/choose. If it's a tap (e.g. Homebrew/homebrew-php) problem please file this issue at the tap.
• ran brew update and can still reproduce the problem?
• ran brew doctor, fixed all issues and can still reproduce the problem?
• ran brew config and brew doctor and included their output with your issue?

What you were trying to do (and why)

I am trying to run Ansible in a secure manner in our particular environment. When running Ansible, in our environment, we want the option to use SSH Keys or Usernames/Passwords. When trying to run Ansible with a Username/Password we get this error.

 [WARNING]: Unhandled error in Python interpreter discovery for host ...: to use the 'ssh' connection type with passwords, you must install
the sshpass program

It looks like there isn't any work around to get Ansible to not request sshpass.

What happened (include command output)

I normally use homebrew to install all packages I use.

brew search sshpass
We won't add sshpass because it makes it too easy for novice SSH users to
ruin SSH's security.

What you expected to happen

I expected to be able to install packages in a secure manner.

Step-by-step reproduction instructions (by running brew commands)

1. Try to run ansible and set ansible_ssh_pass to avoid the need to be asked for a password
2. Have it fail, knowing that you don't have sshpass installed
3. Try to install sshpass and have homebrew block you

Extra notes for Homebrew developers

I understand the attempt here is to protect users, which I am all for. I feel like it's my civic duty to speak out though. If a user REALLY needs sshpass then they are going to install it one way or another. I would like to think that the homebrew repository is much more secure than having users Google for how to get sshpass and end up on this gist: https://gist.github.com/arunoda/7790979

In this case, the user is downloading code from a random person and they may or may not be verifying that the download is legitimate (I am not saying this particular download is not legitimate). In my opinion, this leaves novice users vulnerable to a different kind of attack.

Users are better off downloading sshpass from Homebrew directly than finding a random third party to download from. If Homebrew wants to warn users to deter them from installing this package then that's much more secure than having them install a insecure package from an insecure repository.

If there is absolutely no way that sshpass will make it into Homebrew then I am OK with this being closed out. I will find a workaround using Docker instead of installing Ansible through Homebrew, but I wanted to point out a different kind of bug/attack vector that may or may not have been thought of.

Maybe in the Ansible install, users should be warned of this bug and be encouraged to get Ansible through different means (assuming they need password auth like I do).

Cheers!

[MikeMcQuaid]

If there is absolutely no way that sshpass will make it into Homebrew then I am OK with this being closed out.

Not currently although I'll take that on board and consider this in future. Thanks for the well written issue!

Maybe in the Ansible install, users should be warned of this bug and be encouraged to get Ansible through different means (assuming they need password auth like I do).

Yeh, I think Ansible on macOS probably warrants an issue to want a different tool/installation mechanism for this.