openssh@xxxxxxxx: > Hmm, okay, but it's not clear to me how to make that work. You only need to have ssh-askpass installed. It will be automatically invoked by ssh-agent. > I thought ssh-askpass was only invoked when the key is first added to the agent. No, ssh-askpass is called every time ssh-agent needs some user interaction. For instance, you can use "ssh-add -c" to load a key that requires confirmation for each use. Each time you authenticate with that key, ssh-askpass will pop up and require a key press. > If ssh-add issued an immediate challenge and then "cached" the user presence, I might see how ssh-askpass could get involved. And maybe that would even be preferable, if I only had to touch once at the start of a session and then not have to demonstrate user presence again until the key is removed. Well, that's not how "user presence" is understood as a security concept. User presence is required at the time of authentication. Note that user presence is part of the FIDO/U2F specification and is included in the signature generated by the FIDO/U2F hardware and verified by the remote sshd. ssh-agent cannot fake this. -- Christian "naddy" Weisgerber naddy@xxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
