help wanted: update ssh-askpass programs for new U2F / prompt hints

Damien Miller djm at
Mon Nov 18 16:19:42 AEDT 2019


When we added U2F support, we also extended the interface used by ssh
and ssh-agent to invoke the $SSH_ASKPASS program.

Originally, the askpass prompt was used to obtain passphrases for ssh in
cases where it was not possible to read them from the terminal. Later
it was (ab)used for showing confirmation prompts for each use of any
key that was added to the agent using "ssh-add -c".

For U2F, we now want to show the user a reminder to touch their security
key (and kill the reminder as soon as they do). So the existing text
box with okay/cancel buttons used by the usual askpass dialogs wasn't a
great fit. This was the motivation for extending the interface.

Now, ssh/ssh-agent may set an additional environment variable when
running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not
set, then we want the original passphrase prompt. If the environment
variable is set to "confirm", then this is a hint to display a dialog
for key confirmation (i.e. "ssh-add -c"). The U2F case is supported by
SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just
show a message w/ optional dismiss/close button.

I've implemented this for the GTK+/GNOME askpass implementation
we ship in portable OpenSSH's contrib directory:

For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will now
only show yes/no buttons (instead of the prior textbox + ok/cancel). For
SSH_ASKPASS_PROMPT=none, it will show just the title and a close button.

I'd like help implementing the equivalent feature for the other askpass
implementations that people use. This includes (especially) Jim Knoble's
classic x11-ssh-askpass (Jim's site seems to have fallen off the net
though), the Qt implementation and any others that you might know about.


More information about the openssh-unix-dev mailing list