ssh-agent hides sk "confirm user presence" message

[Christian Weisgerber]

openssh at tr.id.au:

> Hmm, okay, but it's not clear to me how to make that work.

You only need to have ssh-askpass installed.  It will be automatically
invoked by ssh-agent.

> I thought ssh-askpass was only invoked when the key is first added to the agent.

No, ssh-askpass is called every time ssh-agent needs some user
interaction.  For instance, you can use "ssh-add -c" to load a key
that requires confirmation for each use.  Each time you authenticate
with that key, ssh-askpass will pop up and require a key press.

> If ssh-add issued an immediate challenge and then "cached" the user presence, I might see how ssh-askpass could get involved. And maybe that would even be preferable, if I only had to touch once at the start of a session and then not have to demonstrate user presence again until the key is removed.

Well, that's not how "user presence" is understood as a security
concept.  User presence is required at the time of authentication.
Note that user presence is part of the FIDO/U2F specification and
is included in the signature generated by the FIDO/U2F hardware and
verified by the remote sshd.  ssh-agent cannot fake this.

-- 
Christian "naddy" Weisgerber                          naddy at mips.inka.de