ssh-agent hides sk "confirm user presence" message
openssh at tr.id.au
openssh at tr.id.au
Mon Oct 16 14:32:59 AEDT 2023
Hey Damien,
> Generally we prefer to use ssh-askpass for agent notifications. Are you able to use that?
Hmm, okay, but it's not clear to me how to make that work. Is what you have in mind documented somewhere? I don't see this specific situation covered in the manpages and a web search doesn't turn up much.
I thought ssh-askpass was only invoked when the key is first added to the agent. To be clear, my ed25519-sk key does add to the agent successfully with no presence required at that time. It is only later, when the client goes to use the key, that a presence challenge is issued.
If ssh-add issued an immediate challenge and then "cached" the user presence, I might see how ssh-askpass could get involved. And maybe that would even be preferable, if I only had to touch once at the start of a session and then not have to demonstrate user presence again until the key is removed. But that isn't the situation I'm describing. The situation is that no user presence is required when adding the key, but it is required later when ssh-askpass isn't involved (iiuc.)
Is there something I've overlooked or misunderstanding?
~ Tim
More information about the openssh-unix-dev
mailing list