My website has fallen off the web. This is a good time for someone else to take over the code for x11-ssh-askpass, as I've not done anything with it for years. I have the original code somewhere if needed, but I think Debian has mirrored it for some time. -- jim knoble > On Nov 18, 2019, at 01:49, Jakub Jelen <jjelen@xxxxxxxxxx> wrote: > >> On Mon, 2019-11-18 at 16:19 +1100, Damien Miller wrote: >> Hi, >> >> When we added U2F support, we also extended the interface used by ssh >> and ssh-agent to invoke the $SSH_ASKPASS program. >> >> Originally, the askpass prompt was used to obtain passphrases for ssh >> in >> cases where it was not possible to read them from the terminal. Later >> it was (ab)used for showing confirmation prompts for each use of any >> key that was added to the agent using "ssh-add -c". >> >> For U2F, we now want to show the user a reminder to touch their >> security >> key (and kill the reminder as soon as they do). So the existing text >> box with okay/cancel buttons used by the usual askpass dialogs wasn't >> a >> great fit. This was the motivation for extending the interface. >> >> Now, ssh/ssh-agent may set an additional environment variable when >> running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not >> set, then we want the original passphrase prompt. If the environment >> variable is set to "confirm", then this is a hint to display a dialog >> for key confirmation (i.e. "ssh-add -c"). The U2F case is supported >> by >> SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just >> show a message w/ optional dismiss/close button. >> >> I've implemented this for the GTK+/GNOME askpass implementation >> we ship in portable OpenSSH's contrib directory: >> https://github.com/openssh/openssh-portable/commit/b497e92 >> >> For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will >> now >> only show yes/no buttons (instead of the prior textbox + ok/cancel). >> For >> SSH_ASKPASS_PROMPT=none, it will show just the title and a close >> button. >> >> I'd like help implementing the equivalent feature for the other >> askpass >> implementations that people use. This includes (especially) Jim >> Knoble's >> classic x11-ssh-askpass (Jim's site seems to have fallen off the net >> though), the Qt implementation and any others that you might know >> about. > > Thanks for heads up. > > I created issues for the gnome components that implement something like > the ssh-askpass interface and that I know about: > > https://gitlab.gnome.org/GNOME/seahorse/issues/248 > https://gitlab.gnome.org/GNOME/gcr/issues/33 > > If I will have some time, I will check further what needs to be done > and whether these are directly used by ssh-agent or other programs. > > Regards, > -- > Jakub Jelen > Senior Software Engineer > Security Technologies > Red Hat, Inc. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
