openssh unix dev - Nov 2019 - help wanted: update ssh-askpass programs for new U2F / prompt hints

Hi,

When we added U2F support, we also extended the interface used by ssh
and ssh-agent to invoke the $SSH_ASKPASS program.

Originally, the askpass prompt was used to obtain passphrases for ssh in
cases where it was not possible to read them from the terminal. Later
it was (ab)used for showing confirmation prompts for each use of any
key that was added to the agent using "ssh-add -c".

For U2F, we now want to show the user a reminder to touch their security
key (and kill the reminder as soon as they do). So the existing text
box with okay/cancel buttons used by the usual askpass dialogs wasn't a
great fit. This was the motivation for extending the interface.

Now, ssh/ssh-agent may set an additional environment variable when
running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not
set, then we want the original passphrase prompt. If the environment
variable is set to "confirm", then this is a hint to display a dialog
for key confirmation (i.e. "ssh-add -c"). The U2F case is supported by
SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just
show a message w/ optional dismiss/close button.

I've implemented this for the GTK+/GNOME askpass implementation
we ship in portable OpenSSH's contrib directory:
https://github.com/openssh/openssh-portable/commit/b497e92

For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will now
only show yes/no buttons (instead of the prior textbox + ok/cancel). For
SSH_ASKPASS_PROMPT=none, it will show just the title and a close button.

I'd like help implementing the equivalent feature for the other askpass
implementations that people use. This includes (especially) Jim Knoble's
classic x11-ssh-askpass (Jim's site seems to have fallen off the net
though), the Qt implementation and any others that you might know about.

Thanks,
Damien

On Mon, 2019-11-18 at 16:19 +1100, Damien Miller wrote:
> Hi,
> 
> When we added U2F support, we also extended the interface used by ssh
> and ssh-agent to invoke the $SSH_ASKPASS program.
> 
> Originally, the askpass prompt was used to obtain passphrases for ssh
> in
> cases where it was not possible to read them from the terminal. Later
> it was (ab)used for showing confirmation prompts for each use of any
> key that was added to the agent using "ssh-add -c".
> 
> For U2F, we now want to show the user a reminder to touch their
> security
> key (and kill the reminder as soon as they do). So the existing text
> box with okay/cancel buttons used by the usual askpass dialogs wasn't
> a
> great fit. This was the motivation for extending the interface.
> 
> Now, ssh/ssh-agent may set an additional environment variable when
> running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not
> set, then we want the original passphrase prompt. If the environment
> variable is set to "confirm", then this is a hint to display a
dialog
> for key confirmation (i.e. "ssh-add -c"). The U2F case is
supported
> by
> SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just
> show a message w/ optional dismiss/close button.
> 
> I've implemented this for the GTK+/GNOME askpass implementation
> we ship in portable OpenSSH's contrib directory:
> https://github.com/openssh/openssh-portable/commit/b497e92
> 
> For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will
> now
> only show yes/no buttons (instead of the prior textbox + ok/cancel).
> For
> SSH_ASKPASS_PROMPT=none, it will show just the title and a close
> button.
> 
> I'd like help implementing the equivalent feature for the other
> askpass
> implementations that people use. This includes (especially) Jim
> Knoble's
> classic x11-ssh-askpass (Jim's site seems to have fallen off the net
> though), the Qt implementation and any others that you might know
> about.
Thanks for heads up.

I created issues for the gnome components that implement something like
the ssh-askpass interface and that I know about:

https://gitlab.gnome.org/GNOME/seahorse/issues/248
https://gitlab.gnome.org/GNOME/gcr/issues/33

If I will have some time, I will check further what needs to be done
and whether these are directly used by ssh-agent or other programs.

Regards,
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

My website has fallen off the web. This is a good time for someone else to take
over the code for x11-ssh-askpass, as I've not done anything with it for
years. I have the original code somewhere if needed, but I think Debian has
mirrored it for some time.

-- 
jim knoble

> On Nov 18, 2019, at 01:49, Jakub Jelen <jjelen at redhat.com> wrote:
> 
>> On Mon, 2019-11-18 at 16:19 +1100, Damien Miller wrote:
>> Hi,
>> 
>> When we added U2F support, we also extended the interface used by ssh
>> and ssh-agent to invoke the $SSH_ASKPASS program.
>> 
>> Originally, the askpass prompt was used to obtain passphrases for ssh
>> in
>> cases where it was not possible to read them from the terminal. Later
>> it was (ab)used for showing confirmation prompts for each use of any
>> key that was added to the agent using "ssh-add -c".
>> 
>> For U2F, we now want to show the user a reminder to touch their
>> security
>> key (and kill the reminder as soon as they do). So the existing text
>> box with okay/cancel buttons used by the usual askpass dialogs
wasn't
>> a
>> great fit. This was the motivation for extending the interface.
>> 
>> Now, ssh/ssh-agent may set an additional environment variable when
>> running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not
>> set, then we want the original passphrase prompt. If the environment
>> variable is set to "confirm", then this is a hint to display
a dialog
>> for key confirmation (i.e. "ssh-add -c"). The U2F case is
supported
>> by
>> SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just
>> show a message w/ optional dismiss/close button.
>> 
>> I've implemented this for the GTK+/GNOME askpass implementation
>> we ship in portable OpenSSH's contrib directory:
>> https://github.com/openssh/openssh-portable/commit/b497e92
>> 
>> For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will
>> now
>> only show yes/no buttons (instead of the prior textbox + ok/cancel).
>> For
>> SSH_ASKPASS_PROMPT=none, it will show just the title and a close
>> button.
>> 
>> I'd like help implementing the equivalent feature for the other
>> askpass
>> implementations that people use. This includes (especially) Jim
>> Knoble's
>> classic x11-ssh-askpass (Jim's site seems to have fallen off the
net
>> though), the Qt implementation and any others that you might know
>> about.
> 
> Thanks for heads up.
> 
> I created issues for the gnome components that implement something like
> the ssh-askpass interface and that I know about:
> 
> https://gitlab.gnome.org/GNOME/seahorse/issues/248
> https://gitlab.gnome.org/GNOME/gcr/issues/33
> 
> If I will have some time, I will check further what needs to be done
> and whether these are directly used by ssh-agent or other programs.
> 
> Regards,
> -- 
> Jakub Jelen
> Senior Software Engineer
> Security Technologies
> Red Hat, Inc.
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev