Askpass implementation for doas

Chris Noxz

January 20, 2021

As I was trying to move away from using sudo to instead be using doas, mostly due to recent security concerns, I had yet to find any solution for the missing ASKPASS functionality. So instead of creating a fork of doas that I would have to maintain, I instead found a quite obvious solution using expect and tcl. I wrote this short script which in its current state have a pseudo dependency of dmenu.

#!/usr/bin/expect -- 
 
# askpass implementation for doas 
# example usage: DOAS_ASKPASS="dmenu -P -p password:" doas_askpass echo working 
 
# don’t mind the man behind the curtain 
log_user 0 
 
# no command, then nothing to do 
if { $argc == 0 } { exit 0 } 
 
# treat all arguments as command input 
set cmd [lrange $argv 0 end]; 
 
# read askpass from env or fallback to dmanu_pass () 
if {[info exists ::env(DOAS_ASKPASS)]} { 
    set askpass "$::env(DOAS_ASKPASS)" 
} else { 
    set askpass "dmenu_pass password:" 
} 
 
# read password from user 
set pwd [exec {*}$askpass] 
 
# spawn doas operation 
spawn doas {*}$cmd 
 
# send password and execute command 
expect "doas*password:" { 
    send -- "$pwd\r" 
    expect \r 
    log_user 1 
    expect eof 
}

Of course, feel free to use it if you have similar needs.