On Mon, 2019-11-18 at 16:19 +1100, Damien Miller wrote: > Hi, > > When we added U2F support, we also extended the interface used by ssh > and ssh-agent to invoke the $SSH_ASKPASS program. > > Originally, the askpass prompt was used to obtain passphrases for ssh > in > cases where it was not possible to read them from the terminal. Later > it was (ab)used for showing confirmation prompts for each use of any > key that was added to the agent using "ssh-add -c". > > For U2F, we now want to show the user a reminder to touch their > security > key (and kill the reminder as soon as they do). So the existing text > box with okay/cancel buttons used by the usual askpass dialogs wasn't > a > great fit. This was the motivation for extending the interface. > > Now, ssh/ssh-agent may set an additional environment variable when > running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not > set, then we want the original passphrase prompt. If the environment > variable is set to "confirm", then this is a hint to display a dialog > for key confirmation (i.e. "ssh-add -c"). The U2F case is supported > by > SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just > show a message w/ optional dismiss/close button. > > I've implemented this for the GTK+/GNOME askpass implementation > we ship in portable OpenSSH's contrib directory: > https://github.com/openssh/openssh-portable/commit/b497e92 > > For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will > now > only show yes/no buttons (instead of the prior textbox + ok/cancel). > For > SSH_ASKPASS_PROMPT=none, it will show just the title and a close > button. > > I'd like help implementing the equivalent feature for the other > askpass > implementations that people use. This includes (especially) Jim > Knoble's > classic x11-ssh-askpass (Jim's site seems to have fallen off the net > though), the Qt implementation and any others that you might know > about. Thanks for heads up. I created issues for the gnome components that implement something like the ssh-askpass interface and that I know about: https://gitlab.gnome.org/GNOME/seahorse/issues/248 https://gitlab.gnome.org/GNOME/gcr/issues/33 If I will have some time, I will check further what needs to be done and whether these are directly used by ssh-agent or other programs. Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
