Re: OpenSSH not requesting touch on FIDO keys (was: OpenSSH not requesting PIN code for YubiKey)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, Jul 20, 2020 at 01:12:10PM +1000, Damien Miller wrote:
> On Mon, 20 Jul 2020, Domenico Andreoli wrote:
> 
> > > > I guess it's due to the agent server not having any means to call back
> > > > the client for notifying that user action is required [0].
> > > 
> > > ssh-agent will prompt via $SSH_ASKPASS if you have it configured.
> > 
> > Evidently my setup has some problem, I don't see any dialog. I'll
> > investigate. Thanks.
> 
> Common problems:
> 
> 1) you might not be running OpenSSH's ssh-agent. Some desktop environments
>    will silently start their own, with varying levels of compatibility
> 
> 2) Not starting ssh-agent with $DISPLAY set
> 
> 3) Not having an askpass program at the path that ssh-agent expects
>    or not having $SSH_ASKPASS pointing (again, before starting the agent)

Managed to make it work. Nice! Thanks again.

Now, all the perfectly good use cases that do not have a running desktop
are left without a screen notification. Any ideas for these?

Another issue, the current ssh-askpass solution does not give any hint
of which application is requesting the confirmation. It's then possible
to race with a malicious application and get the confirmation first.

Dom

-- 
rsa4096: 3B10 0CA1 8674 ACBA B4FE  FCD2 CE5B CF17 9960 DE13
ed25519: FFB4 0CC3 7F2E 091D F7DA  356E CC79 2832 ED38 CB05
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux