Re: Unable to use ssh-agent with confirmation, when logged in on a virtual terminal

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 03/11/14 20:14, Johannes Kastl wrote:
Good evening,

sorry if this is the wrong list, I found none that seemed to fit better.
It's the right list.


I am trying to get ssh-add with the -c option to work. But I always
get this error:
Agent admitted failure to sign using the key.
But to start from the beginning.

#################################

On my linux machines (e.g. laptops, ...) I can login without an X
session started/used. (...)
(and instead of asking for confirmation, agent requests fail)

So, I'm puzzled. And I do not know how to debug this. Or where to
start. Or if I understood something completely wrong about the -c option.

Any hints, tipps, tricks are highly appreciated. If you need more
information, please dont hesitate to ask.

Thanks in advance.


The reason is hidden inside ssh-add(1):
-c Indicates that added identities should be subject to confirmation before being used for authentication. Confirmation is performed by the SSH_ASKPASS program mentioned below. Successful confirmation is signaled by a zero exit status from the SSH_ASKPASS program, rather than text entered into the requester.

DISPLAY and SSH_ASKPASS
If ssh-add needs a passphrase, it will read the passphrase from the current terminal if it was run from a terminal. If ssh-add does not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS and open an X11 window to read the passphrase. This is particularly useful when calling ssh-add from a .xsession or related script. (Note that on some machines it may be necessary to redirect the input from /dev/null to make this work.)


the man page mixes the request for the key password and the confirmation prompt, and it can be hard to notice, but ssh-agent is calling the X program defined by SSH_ASKPASS variable (defaulting to ssh-askpass). As you are using a virtual terminal, you don't have a X11 connection where you could be prompt, and thus the agent automatically rejects the signing. (confirm_key → ask_permission → read_passphrase(, RP_USE_ASKPASS) [ssh-agent.c:202, readpass.c:180,144])

What you can do is to set SSH_ASKPASS to a cli program that requests the confirmation, also you will need to set DISPLAY to some dummy value, since $SSH_ASKPASS won't even be called if the DISPLAY variable is not set.

Another solution would be to change openssh to fall back to getpass(1) for ask_permission requests if $DISPLAY is not available, but given that the code explicitly checks that, the developers may have reasons for not doing that (the prompts would on the screen where the agent was originally launched, which -depending on what is running there now- can get messy, but that seems better than not allowing ssh-add -c at all).

Best regards
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux