Sending envvars via ssh agent protocol

Richard Hansen rhansen at
Sat Sep 11 08:04:23 AEST 2021

On 2021-01-25T22:42:36+01:00, Werner Koch wrote:
> Hi!
> There are quite some folks out there who use GnuPG's implementation of
> the ssh-agent which we implemented about 15 years ago.  It nicely fits
> into the OpenPGP framework and we even have support for several
> smartcards and tokens.  In fact the standard OpenPGP card is be default
> created with an authentication key to be used with ssh.
> So far, so good.  There is one annoying thing which we can only properly
> solve by adding code to ssh.  The problem is that if you switch between
> different X-servers or ttys, gpg-agent does not know where to popup the
> passphrase or PIN entry dialog.  For example I am either working on
> laptop directly or using an X server to work on that laptop.  So when
> switching between these devices I am meanwhile very accustomed to run
> the command "gpg-connect-agent updatestartuptty /bye" to tell gpg-agent
> the default tty or display it shall use by default.  With gpg etc the
> default is not used because gpg tells gpg-agent via its own IPC a number
> of envvar values.

Doesn't ssh-agent have this same problem with confirmation-constrained keys (`ssh-add -c`)? How does the ssh-askpass process invoked by ssh-agent present the confirmation prompt on the correct tty or display?


> It would be very cool to get rid of this and so I hacked gpg-agent and
> openssh to convet the required envvars via the ssh agent protocols
> (according to draft-miller-ssh-agent-04 which is expired, but who
> cares).
> The new extension mechanism from this protocol is used; the details
> should be easyl available from the attached patch.  However, I can
> describe them in another post.
> The visisble change in ssh is a new option:
>    AgentEnv
>      Specifies what variables from the local environ(7) should be sent to
>      a running ssh-agent(1).  The agent may use these environment
>      variables at its own discretion.  Note that patterns for the
>      variable names are not supported.  To empty the list of previously
>      set AgentEnv variable names the special name "-" may be used.  To
>      ignore all further set names use the special name "#".  To ask the
>      agent for a list of names to send use "auto" as the first and only
>      item.
>      The default is not to send any environment variables to the agent.
> The rationale for the "-" thingy is to allow a config file to override
> what for example the command line has already set.  The "#" can be used
> to disable a globally set option from the commandline or ~/.ssh/config.
> On a GnuPG system you would usually have
>    AgentEnv auto
> in ssh_config.  "auto" reads the envvars known by GnuPG and sends their
> values back.  This is easier than to list them as arguments to AgentEnv.
> GnuPG from Git is required but if things go smoothly we may even
> backport this to the stable GnuPG 2.2 version.
> I have not implemented that feature yet for ssh-add and ssh-keygen
> because both don't parse ssh_config and thus this needs more thinking.
> Anyway for everydays use it is enough to have this in ssh.
> Please let me know whether this patch (against yesterday's Git) might be
> acceptable to be included into the portable or upstream OpenSSH version.
> Comments on the code are also appreciated.  I merely followed the
> existing style.  I noticed that there are some ways to improve it but
> that might me more intrusive as this change.
> Salam-Shalom,
>     Werner

More information about the openssh-unix-dev mailing list