Hi, When we added U2F support, we also extended the interface used by ssh and ssh-agent to invoke the $SSH_ASKPASS program. Originally, the askpass prompt was used to obtain passphrases for ssh in cases where it was not possible to read them from the terminal. Later it was (ab)used for showing confirmation prompts for each use of any key that was added to the agent using "ssh-add -c". For U2F, we now want to show the user a reminder to touch their security key (and kill the reminder as soon as they do). So the existing text box with okay/cancel buttons used by the usual askpass dialogs wasn't a great fit. This was the motivation for extending the interface. Now, ssh/ssh-agent may set an additional environment variable when running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not set, then we want the original passphrase prompt. If the environment variable is set to "confirm", then this is a hint to display a dialog for key confirmation (i.e. "ssh-add -c"). The U2F case is supported by SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just show a message w/ optional dismiss/close button. I've implemented this for the GTK+/GNOME askpass implementation we ship in portable OpenSSH's contrib directory: https://github.com/openssh/openssh-portable/commit/b497e92 For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will now only show yes/no buttons (instead of the prior textbox + ok/cancel). For SSH_ASKPASS_PROMPT=none, it will show just the title and a close button. I'd like help implementing the equivalent feature for the other askpass implementations that people use. This includes (especially) Jim Knoble's classic x11-ssh-askpass (Jim's site seems to have fallen off the net though), the Qt implementation and any others that you might know about. Thanks, Damien _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
