[Bug 3687] Leverage publickey-hostbound-v00 on non-constrained keys for better confirmation prompts

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri May 3 15:01:01 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3687

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Yes, that could work but there are some corner cases around certificate
keys and the certificate->plain fallback behaviour in ssh.

My current thinking is that the notification logic in this area is
already a bit over-complicated for ssh-agent, which is supposed to be
as small and simple as possible. I think I'd prefer to delegate as much
notification, confirmation, prompting, etc to an optional external
service that ssh-agent can invoke via a unix domain socket.

That service could receive the entire host binding path (if present),
the type of signature, the destination username, hostkey of the
destination host (if available), details of the public key being used,
etc. and could present this in a much more rich and potentially usable
form than ssh-askpass can.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list