openssh bugs - Feb 2011 - [Bug 1871] New: ssh-askpass should be able to distinguish between a prompt for confirmation and a prompt for an actual passphrase

https://bugzilla.mindrot.org/show_bug.cgi?id=1871

           Summary: ssh-askpass should be able to distinguish between a
                    prompt for confirmation and a prompt for an actual
                    passphrase
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: dkg at fifthhorseman.net


currently, ssh-askpass is used in some situations to actually ask the
user for a passphrase.

in other situations, it is used to prompt for simple confirmation (e.g.
ControlMaster=ask, ssh-add -c).

Providing the exact same UI for both scenarios is not only surprising
for new users; it is also potentially problematic.

For example, grabbing the X11 keyboard is a pretty invasive operation
(and it is warranted, to avoid other X processes snooping on the
passphrase).  A prompt for confirmation doesn't need to grab the
keyboard, though.

I'm proposing to extend the ssh-askpass interface with an environment
variable SSH_ASKPASS_CONFIRMATION_ONLY.  If this environment variable
is set, the ssh-askpass can choose to display a
simpler/non-kbd-grabbing UI.  ssh, ssh-add, and ssh-agent would need to
know to set or clear that environment variable depending on the type of
prompt.

Another approach would be to define a command line argument, but
existing ssh-agent implementations appear to treat multiple arguments
differently (e.g. gnome-ssh-askpass concatenates them all into the
string prompt; jim knoble's x11-ssh-askpass accepts old-school
X11-style arguments).  So an environment variable seems cleaner.

This would be an optional UI enhancement -- ssh-askpass implementations
that don't know about it or don't care would't need to make any
changes.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1871

--- Comment #1 from Daniel Kahn Gillmor <dkg at fifthhorseman.net>
2011-02-25 09:24:02 EST ---
Created attachment 2003
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2003
patch to contrib/gnome-ssh-askpass2.c implementing these changes

here's a patch implementing this behavior in
contrib/gnome-ssh-askpass2.c (does anyone really use gnome1 any more? 
should we remove contrib/gnome-ssh-askpass1.c?)

This patch looks noisy, but most of it is just doing proper indenting,
so it's whitespace-only changes.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1871

--- Comment #2 from Daniel Kahn Gillmor <dkg at fifthhorseman.net>
2011-02-25 10:00:35 EST ---
Created attachment 2004
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2004
set SSH_ASKPASS_CONFIRMATION_ONLY when just asking for permission

And here is the fix so that ssh sets the environment variable correctly
when invoking ssh-askpass.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1871

maxigas <maxigas at anargeek.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |maxigas at anargeek.net

--- Comment #3 from maxigas <maxigas at anargeek.net> 2011-03-19 10:25:17
EST ---
It is awfully confusing indeed.  I was trying several times before
realising what was going on.  :o

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.