openssh at tr.id.au
2023-Oct-16 02:13 UTC
ssh-agent hides sk "confirm user presence" message
Hey there, I've noticed some unexpected behavior when I occasionally need to forward an ed25519-sk key with ssh-agent. When using the key without an agent, it prompts with a reminder to touch the key: $ ssh user at remote Confirm user presence for key ED25519-SK MD5:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX User presence confirmed But as soon as I add the key to an agent, it now hides that reminder: $ ssh-agent /bin/bash $ ssh-add /path/to/key Identity added: /path/to/key (ssh:keyname) $ ssh user at remote <key starts blinking but no reminder to touch it> I first noticed it when forwarding the agent, but it's reproducible locally without forwarding required. Some people might prefer to keep the message hidden, which would be okay by me if I could choose to toggle it on. I don't see any options in the various openssh manpages to allow that though. It also seems inconsistent with the expectations set when I use the key without an agent. Could you consider adding an option which would allow forcing the message to appear when used with an agent? I think an argument could be made this should be the default behavior, but I'm not going to die on that hill, I'd be content with a configurable toggle. Cheers, Tim
On Mon, 16 Oct 2023, openssh at tr.id.au wrote:> Hey there, > > I've noticed some unexpected behavior when I occasionally need to forward an ed25519-sk key with ssh-agent. When using the key without an agent, it prompts with a reminder to touch the key: > > $ ssh user at remote > Confirm user presence for key ED25519-SK MD5:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX > User presence confirmed > > But as soon as I add the key to an agent, it now hides that reminder: > > $ ssh-agent /bin/bash > $ ssh-add /path/to/key > Identity added: /path/to/key (ssh:keyname) > $ ssh user at remote > <key starts blinking but no reminder to touch it> > > I first noticed it when forwarding the agent, but it's reproducible locally without forwarding required. > > Some people might prefer to keep the message hidden, which would be okay by me if I could choose to toggle it on. I don't see any options in the various openssh manpages to allow that though. It also seems inconsistent with the expectations set when I use the key without an agent. > > Could you consider adding an option which would allow forcing the message to appear when used with an agent? I think an argument could be made this should be the default behavior, but I'm not going to die on that hill, I'd be content with a configurable toggle.Generally we prefer to use ssh-askpass for agent notifications. Are you able to use that? -d