ssh-askpass should be able to distinguish between a prompt for confirmation and a prompt for an actual passphrase

[Daniel Kahn Gillmor]

On 02/24/2011 10:28 PM, Peter Stuge wrote:
> Jameson Rollins wrote:
>> I think Daniel's suggestion of using an environment variable to change
>> to UI to one that just asks for a yes/no response (and doesn't grab the
>> keyboard) is definitely the way to go.
> 
> Absolute no go for me. Would be unacceptable for me to not be able to
> hit enter without first focusing on the prompt to agree.

there are a lot of negatives here, Peter, so i'm having a hard time
parsing what you mean.

I think you're saying "I want to be able to just hit enter without
having to focus on the prompt."  Is that right?

I think jamie's proposal is that it would take focus (like most new
windows do) but that it wouldn't "grab the keyboard" in the old X11
sense of a modal/global keyboard lock.  This kind of keyboard grab is
critical for actual passphrase entry (so that other clients sharing your
X11 session can't snoop on the keystrokes), but not for confirmation
prompts.

The problem with "grabbing the keyboard" for confirmation prompts is
that only one application in the entire session can do it at once.

So, for example, if you are using confirmation prompting
(ControlMaster=ask) for already-established connections to hosts a and
b, and you do:

 scp -3 a:foo b:bar

Then two prompts come up concurrently.  If they're both trying to grab
the keyboard, one of them (at least) must lose, which is considered a
"cancel" by every ssh-askpass implementation i've seen.  This causes the
scp connection to fail, even though there was no need for keyboard grab
in the first place.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110224/7f4d47c6/attachment.bin>