Unable to use ssh-agent with confirmation, when logged in on a virtual terminal

Eldon Koyle ekoyle at gmail.com
Wed Nov 5 18:37:54 EST 2014


On  Nov 04 21:50+0100, Johannes Kastl wrote:
<snip>
> > DISPLAY=foo SSH_ASKPASS=/bin/true ssh-agent bash
> >> ssh-add -c /path/to/keyfile ssh machine
> 
> This works. So it really is the missing application.
> 
> > This time it should work (works here). Using /bin/true means that
> > it will always answer "yes", but enough to show it is working. You
> > should instead make a program using getpass(2) or maybe a shell
> > script that asks you.
> 
> I wonder why there is no such application delivered with openssh?
> Surely someone more capable than me has used this feature before?

I think perhaps you are misunderstanding the '-c' option of ssh-add.

The -c option is meant as an additional barrier to someone hijacking
your agent (ie. if someone gains access as your user, they will be
unable to use your key if they don't also have access to your X
session).

> And, also: In the man page this whole SSH_ASKPASS/DISPLAY-thingy is
> described as a way for X11-users and if no terminal is associated.
> 
> But in my case, all of this should not be necessary, as I am running
> this from a terminal, and ssh just has to ask for the passphrase. As
> it might ask for the passphrase when adding it to ssh-agent or when
> ssh'ing without the agent.

<snip>

One purpose of the ssh agent is to avoid having to type in your
passphrase as often.  The fact that you added the key with '-c' means
you want the agent to ask you if it is okay too use this key, but
without an X session it doesn't know how to do that (it is not as
straightforward as it seems from a terminal; it can hang forever with a
prompt that was displayed who-knows-where).

-- 
Eldon Koyle


More information about the openssh-unix-dev mailing list