help wanted: update ssh-askpass programs for new U2F / prompt hints

Jakub Jelen jjelen at redhat.com
Mon Nov 18 20:49:36 AEDT 2019 

On Mon, 2019-11-18 at 16:19 +1100, Damien Miller wrote:
> Hi,
> 
> When we added U2F support, we also extended the interface used by ssh
> and ssh-agent to invoke the $SSH_ASKPASS program.
> 
> Originally, the askpass prompt was used to obtain passphrases for ssh
> in
> cases where it was not possible to read them from the terminal. Later
> it was (ab)used for showing confirmation prompts for each use of any
> key that was added to the agent using "ssh-add -c".
> 
> For U2F, we now want to show the user a reminder to touch their
> security
> key (and kill the reminder as soon as they do). So the existing text
> box with okay/cancel buttons used by the usual askpass dialogs wasn't
> a
> great fit. This was the motivation for extending the interface.
> 
> Now, ssh/ssh-agent may set an additional environment variable when
> running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not
> set, then we want the original passphrase prompt. If the environment
> variable is set to "confirm", then this is a hint to display a dialog
> for key confirmation (i.e. "ssh-add -c"). The U2F case is supported
> by
> SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just
> show a message w/ optional dismiss/close button.
> 
> I've implemented this for the GTK+/GNOME askpass implementation
> we ship in portable OpenSSH's contrib directory:
> https://github.com/openssh/openssh-portable/commit/b497e92
> 
> For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will
> now
> only show yes/no buttons (instead of the prior textbox + ok/cancel).
> For
> SSH_ASKPASS_PROMPT=none, it will show just the title and a close
> button.
> 
> I'd like help implementing the equivalent feature for the other
> askpass
> implementations that people use. This includes (especially) Jim
> Knoble's
> classic x11-ssh-askpass (Jim's site seems to have fallen off the net
> though), the Qt implementation and any others that you might know
> about.

Thanks for heads up.

I created issues for the gnome components that implement something like
the ssh-askpass interface and that I know about:

https://gitlab.gnome.org/GNOME/seahorse/issues/248
https://gitlab.gnome.org/GNOME/gcr/issues/33

If I will have some time, I will check further what needs to be done
and whether these are directly used by ssh-agent or other programs.

Regards,
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

More information about the openssh-unix-dev mailing list