help wanted: update ssh-askpass programs for new U2F / prompt hints

Jim Knoble jmknoble at pobox.com
Wed Nov 20 14:30:38 AEDT 2019 

My website has fallen off the web. This is a good time for someone else to take over the code for x11-ssh-askpass, as I've not done anything with it for years. I have the original code somewhere if needed, but I think Debian has mirrored it for some time.

-- 
jim knoble


> On Nov 18, 2019, at 01:49, Jakub Jelen <jjelen at redhat.com> wrote:
> 
>> On Mon, 2019-11-18 at 16:19 +1100, Damien Miller wrote:
>> Hi,
>> 
>> When we added U2F support, we also extended the interface used by ssh
>> and ssh-agent to invoke the $SSH_ASKPASS program.
>> 
>> Originally, the askpass prompt was used to obtain passphrases for ssh
>> in
>> cases where it was not possible to read them from the terminal. Later
>> it was (ab)used for showing confirmation prompts for each use of any
>> key that was added to the agent using "ssh-add -c".
>> 
>> For U2F, we now want to show the user a reminder to touch their
>> security
>> key (and kill the reminder as soon as they do). So the existing text
>> box with okay/cancel buttons used by the usual askpass dialogs wasn't
>> a
>> great fit. This was the motivation for extending the interface.
>> 
>> Now, ssh/ssh-agent may set an additional environment variable when
>> running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not
>> set, then we want the original passphrase prompt. If the environment
>> variable is set to "confirm", then this is a hint to display a dialog
>> for key confirmation (i.e. "ssh-add -c"). The U2F case is supported
>> by
>> SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just
>> show a message w/ optional dismiss/close button.
>> 
>> I've implemented this for the GTK+/GNOME askpass implementation
>> we ship in portable OpenSSH's contrib directory:
>> https://github.com/openssh/openssh-portable/commit/b497e92
>> 
>> For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will
>> now
>> only show yes/no buttons (instead of the prior textbox + ok/cancel).
>> For
>> SSH_ASKPASS_PROMPT=none, it will show just the title and a close
>> button.
>> 
>> I'd like help implementing the equivalent feature for the other
>> askpass
>> implementations that people use. This includes (especially) Jim
>> Knoble's
>> classic x11-ssh-askpass (Jim's site seems to have fallen off the net
>> though), the Qt implementation and any others that you might know
>> about.
> 
> Thanks for heads up.
> 
> I created issues for the gnome components that implement something like
> the ssh-askpass interface and that I know about:
> 
> https://gitlab.gnome.org/GNOME/seahorse/issues/248
> https://gitlab.gnome.org/GNOME/gcr/issues/33
> 
> If I will have some time, I will check further what needs to be done
> and whether these are directly used by ssh-agent or other programs.
> 
> Regards,
> -- 
> Jakub Jelen
> Senior Software Engineer
> Security Technologies
> Red Hat, Inc.
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list