diff --git a/cli-authpasswd.c b/cli-authpasswd.c
index 02bce1815e9817deca20abe3e77cb879a61151d9..a9f34bd484a4b2b2282860cec5e2783d84206420 100644
--- a/cli-authpasswd.c
+++ b/cli-authpasswd.c
@@ -30,13 +30,105 @@
 #include "runopts.h"
 
 #ifdef ENABLE_CLI_PASSWORD_AUTH
+
+#ifdef ENABLE_CLI_ASKPASS_HELPER
+/* Returns 1 if we want to use the askpass program, 0 otherwise */
+static int want_askpass()
+{
+	char* askpass_prog = NULL;
+
+	askpass_prog = getenv("SSH_ASKPASS");
+	return askpass_prog && !isatty(STDIN_FILENO) && getenv("DISPLAY");
+}
+
+/* returns a statically allocated password from a helper app, or NULL
+ * on failure */
+static char *gui_getpass(const char *prompt) {
+
+	pid_t pid;
+	int p[2], maxlen, len, status;
+	static char buf[DROPBEAR_MAX_CLI_PASS + 1];
+	char* helper = NULL;
+
+	TRACE(("enter gui_getpass"))
+
+	helper = getenv("SSH_ASKPASS");
+	if (!helper)
+	{
+		TRACE(("leave gui_getpass: no askpass program"))
+		return NULL;
+	}
+
+	if (pipe(p) < 0) {
+		TRACE(("error creating child pipe"))
+		return NULL;
+	}
+
+	pid = fork();
+
+	if (pid < 0) {
+		TRACE(("fork error"))
+		return NULL;
+	}
+
+	if (!pid) {
+		/* child */
+		close(p[0]);
+		if (dup2(p[1], STDOUT_FILENO) < 0) {
+			TRACE(("error redirecting stdout"))
+			exit(1);
+		}
+		close(p[1]);
+		execlp(helper, helper, prompt, (char *)0);
+		TRACE(("execlp error"))
+		exit(1);
+	}
+
+	close(p[1]);
+	maxlen = sizeof(buf);
+	while (maxlen > 0) {
+		len = read(p[0], buf + sizeof(buf) - maxlen, maxlen);
+		if (len > 0) {
+			maxlen -= len;
+		} else {
+			if (errno != EINTR)
+				break;
+		}
+	}
+
+	close(p[0]);
+
+	while (waitpid(pid, &status, 0) < 0 && errno == EINTR)
+		;
+	if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
+		return(NULL);
+
+	len = sizeof(buf) - maxlen;
+	buf[len] = '\0';
+	if (len > 0 && buf[len - 1] == '\n')
+		buf[len - 1] = '\0';
+
+	TRACE(("leave gui_getpass"))
+	return(buf);
+}
+#endif /* ENABLE_CLI_ASKPASS_HELPER */
+
 int cli_auth_password() {
 
 	char* password = NULL;
-	TRACE(("enter cli_auth_password"))
 
+	TRACE(("enter cli_auth_password"))
 	CHECKCLEARTOWRITE();
-	password = getpass("Password: ");
+
+#ifdef ENABLE_CLI_ASKPASS_HELPER
+	if (want_askpass())
+		password = gui_getpass("Password: ");
+	else
+#endif
+		password = getpass("Password: ");
+
+	if (password == NULL)
+		return 0;
 
 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST);
 
@@ -60,4 +152,4 @@ int cli_auth_password() {
 	return 1; /* Password auth can always be tried */
 
 }
-#endif
+#endif	/* ENABLE_CLI_PASSWORD_AUTH */
diff --git a/dbutil.c b/dbutil.c
index fbe170d532684bac835d62fbd9d2e0220de1ee0e..5f3a45dfb84192247f72c6b201cbe7c2a2b709ec 100644
--- a/dbutil.c
+++ b/dbutil.c
@@ -627,7 +627,13 @@ void setnonblocking(int fd) {
 	TRACE(("setnonblocking: %d", fd))
 
 	if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) {
-		dropbear_exit("Couldn't set nonblocking");
+		if (errno == ENODEV) {
+			/* Some devices (like /dev/null redirected in)
+			 * can't be set to non-blocking */
+			TRACE(("ignoring ENODEV for setnonblocking"))
+		} else {
+			dropbear_exit("Couldn't set nonblocking");
+		}
 	}
 	TRACE(("leave setnonblocking"))
 }
diff --git a/options.h b/options.h
index 1dfb73878d0552cb9d6dd5294e1e70f674681e16..7e88dbc04798e5e47581b38bd2380bdefd64a13e 100644
--- a/options.h
+++ b/options.h
@@ -126,6 +126,13 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
 #define ENABLE_CLI_PASSWORD_AUTH
 #define ENABLE_CLI_PUBKEY_AUTH
 
+/* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
+ * a helper program for the ssh client. The helper program should be
+ * specified in the SSH_ASKPASS environment variable, and dbclient
+ * should be run with DISPLAY set and no tty. The program should
+ * return the password on standard output */
+/*#define ENABLE_CLI_ASKPASS_HELPER*/
+
 /* Random device to use - define either DROPBEAR_RANDOM_DEV or
  * DROPBEAR_PRNGD_SOCKET.
  * DROPBEAR_RANDOM_DEV is recommended on hosts with a good /dev/(u)random,
@@ -297,6 +304,8 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
 #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
 								in a few years time.... */
 
+#define DROPBEAR_MAX_CLI_PASS 1024
+
 #ifndef ENABLE_X11FWD
 #define DISABLE_X11FWD
 #endif