openssh bugs - Jun 2021 - [Bug 3320] New: Authentication hangs when SSH_ASKPASS_REQUIRE=prefer and remote host key fingerprint isn't known

https://bugzilla.mindrot.org/show_bug.cgi?id=3320

            Bug ID: 3320
           Summary: Authentication hangs when SSH_ASKPASS_REQUIRE=prefer
                    and remote host key fingerprint isn't known
           Product: Portable OpenSSH
           Version: 8.6p1
          Hardware: 68k
                OS: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jack+portable-openssh-bugzilla at foys.net

Hello,

I set SSH_ASKPASS_REQUIRE=prefer so that git would use SSH_ASKPASS to
pull passphrases from an external keychain, even when run
interactively. I've unblocked myself from the problem below by setting
SSH_ASKPASS_REQUIRE only from .gitconfig.


Later, I discovered that with SSH_ASKPASS_REQUIRE=prefer, ssh hangs
when connecting to a new host. `ssh -v` shows the following, repeated:


debug1: read_passphrase: requested to askpass
debug1: read_passphrase: requested to askpass
debug1: read_passphrase: requested to askpass


After amending the custom askpass program to show its argv on stderr:


debug1: read_passphrase: requested to askpass
argv: The authenticity of host 'testhost (10.1.10.10)' can't be
established.
ED25519 key fingerprint is SHA256:<deleted>.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?
debug1: read_passphrase: requested to askpass
argv: Please type 'yes', 'no' or the fingerprint:
debug1: read_passphrase: requested to askpass
argv: Please type 'yes', 'no' or the fingerprint:
debug1: read_passphrase: requested to askpass
argv: Please type 'yes', 'no' or the fingerprint:
debug1: read_passphrase: requested to askpass
argv: Please type 'yes', 'no' or the fingerprint:


It looks like all interactive input goes through read_passphrase() in
readpass.c, whether or not it's a credential. Is this intentional?

Possibly related:
https://bugzilla.mindrot.org/show_bug.cgi?id=3314
https://bugzilla.mindrot.org/show_bug.cgi?id=3226

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3320

Jack Foy <jack+portable-openssh-bugzilla at foys.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jack+portable-openssh-bugzi
                   |                            |lla at foys.net

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3320

Jack Foy <jack+portable-openssh-bugzilla at foys.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Hardware|68k                         |amd64

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3320

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I can't replicate this on openssh-8.6 or 8.7 (on Linux/OpenBSD) and the
common X11 askpass programs.
> It looks like all interactive input goes through read_passphrase() in 
> readpass.c, whether or not it's a credential. Is this intentional?
Yes - read_passphrase(), despite its name, supports reading both secret
and public strings from the user. It's completely intentional, as it is
the central place that decides whether to invoke SSH_ASKPASS or to read
from the TTY.

If I had to guess what is going wrong in your case: your SSH_ASKPASS
program is probably returning something other than strictly "yes",
"no"
or the key fingerprint and so you're repeatedly going around the loop
inside sshconnect.c:confirm()

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3320

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing for lack of followup

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.