ssh-askpass should be able to distinguish between a prompt for confirmation and a prompt for an actual passphrase

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Feb 25 15:41:00 EST 2011 

On 02/24/2011 11:11 PM, Peter Stuge wrote:
> Strictly focus follows mouse here on my desktop, with the exception
> of x11-ssh-askpass.

I use focus-follows-mouse as well (or, technically "sloppy focus" if the
wikipedia article [0] vocab is correct).  but when new windows open
(e.g. if i type "xterm" from a running xterm), the new window gets
focus, even though the pointer hasn't moved.

Is this not the case for you?  if so, what window manager/desktop
environment do you use?  I'm using openbox, fwiw.

>> but that it wouldn't "grab the keyboard"
> 
> I'm not sure that this works the way I would like. (For me.)

could you try applying the patch here for gnome-ssh-askpass2.c:

 https://bugzilla.mindrot.org/attachment.cgi?id=2003

and then launch it from a terminal emulator with:

 env SSH_ASKPASS_CONFIRMATION_ONLY=true gnome-ssh-askpass2 'test test'

does that cause the problem you're expecting to see?


>> Then two prompts come up concurrently.  If they're both trying to grab
>> the keyboard, one of them (at least) must lose, which is considered a
>> "cancel" by every ssh-askpass implementation i've seen.
> 
> Is the solution to proxy askpass invocations through a serializer?

hm, that might be one approach.  Another approach could be to change
ssh-askpass behavior to wait patiently for its turn to grab the X
keyboard, instead of failing after four seconds of trying to grab.

Neither of these seem ideal to me, though, and neither of them addresses
the confusion that arises from prompting for a password when all that is
really needed is a yes/no confirmation.

Do you agree at least that it would be good for ssh-askpass to know that
a given prompt is a confirmation prompt instead of an actual password
prompt?  does the SSH_ASKPASS_CONFIRMATION_ONLY environment variable
seem reasonable as a mechanism to signal that?

We can decouple decisions about specific ssh-askpass behavior from the
question of the signalling approach.

	--dkg

[0] https://secure.wikimedia.org/wikipedia/en/wiki/Focus_(computing)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110224/0735eecf/attachment-0001.bin>

More information about the openssh-unix-dev mailing list