ssh-askpass should be able to distinguish between a prompt for confirmation and a prompt for an actual passphrase

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Feb 25 16:54:19 EST 2011


On 02/24/2011 11:55 PM, Peter Stuge wrote:
> No. The new window will only get focus if it opened under the
> pointer.
 [...]
> fvwm2

ok, thanks, that's good to know.  Do you know if there's a way to get
X11 focus without doing a full keyboard grab?

> Afraid I don't have/use gnome-ssh-askpass2 (any more) because
> x11-ssh-askpass is significantly simpler prettier and last but not
> least snappier.

heh.  i use x11-ssh-askpass myself.  Attached is a patch to modify the
behavior of x11-ssh-askpass to do the same thing i'm describing here.

Would you mind trying that out (same approach as before) and seeing if
it lets you accept directly by hitting enter?

If that doesn't work for you, perhaps all that's needed is an
XSetInputFocus instead of an XGrabKeyboard for the confirmation_prompt
case?  I'd be happy to try that if you tell me this version doesn't work
for you.

> Sure, although I don't care about it for myself I agree it's stupid
> to ask for a password when that is not what is needed.
> 
> However on my system with x11-ssh-askpass, that's not what happens.
> I've added a private key using ssh-add -c. When ssh wants to use that
> key, x11-ssh-askpass prompts me with:
> 
> Allow use of key .../id_rsa?
> Key fingerprint 11:22:33:44..
> 
> [OK]  [Cancel]

it still shows you the "indicator" boxes, though, right?  and when you
type, they light up, in the same way that they light up when you're
entering a passphrase?

that's the equivalent of the "stars in a text box" for this askpass
implementation, aiui.

 ...thinking and reading a bit more...

it seems that "XGrabKeyboard is not a security interface" (at least not
against X11 trusted clients which can XQueryKeymap):

http://archive.cert.uni-stuttgart.de/bugtraq/2005/06/msg00002.html

So it's probably worth re-phrasing the keyboard grab as a protection
against inadvertent mistakes like accidentally typing your passphrase
into a backgrounded-but-focused web form when you thought you were
typing in the askpass box.  This is still more of an argument against
needing to grab the keyboard in these situations, though.


I'm curious what ideas you'd have for actually implementing askpass
serialization -- would it be something in the filesystem?  a
per-X11-session serializing daemon?  Something else?  These all seem
likely to introduce opportunities for other kinds of subtle failure.

as for the wait-longer-to-grab approach, i think there are some timing
conflicts between needing to make a window visible to even try to grab
the keyboard and how long you wait/try again.  Is there a way to
cleanly/simply wait for an XUngrabKeyboard() event?

	--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: support-SSH_ASKPASS_CONFIRMATION_ONLY.diff
Type: text/x-diff
Size: 5253 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110225/dd6b92ee/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110225/dd6b92ee/attachment-0001.bin>


More information about the openssh-unix-dev mailing list