Damien Miller
2019-Nov-18 05:19 UTC
help wanted: update ssh-askpass programs for new U2F / prompt hints
Hi, When we added U2F support, we also extended the interface used by ssh and ssh-agent to invoke the $SSH_ASKPASS program. Originally, the askpass prompt was used to obtain passphrases for ssh in cases where it was not possible to read them from the terminal. Later it was (ab)used for showing confirmation prompts for each use of any key that was added to the agent using "ssh-add -c". For U2F, we now want to show the user a reminder to touch their security key (and kill the reminder as soon as they do). So the existing text box with okay/cancel buttons used by the usual askpass dialogs wasn't a great fit. This was the motivation for extending the interface. Now, ssh/ssh-agent may set an additional environment variable when running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not set, then we want the original passphrase prompt. If the environment variable is set to "confirm", then this is a hint to display a dialog for key confirmation (i.e. "ssh-add -c"). The U2F case is supported by SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just show a message w/ optional dismiss/close button. I've implemented this for the GTK+/GNOME askpass implementation we ship in portable OpenSSH's contrib directory: https://github.com/openssh/openssh-portable/commit/b497e92 For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will now only show yes/no buttons (instead of the prior textbox + ok/cancel). For SSH_ASKPASS_PROMPT=none, it will show just the title and a close button. I'd like help implementing the equivalent feature for the other askpass implementations that people use. This includes (especially) Jim Knoble's classic x11-ssh-askpass (Jim's site seems to have fallen off the net though), the Qt implementation and any others that you might know about. Thanks, Damien
Jakub Jelen
2019-Nov-18 09:49 UTC
help wanted: update ssh-askpass programs for new U2F / prompt hints
On Mon, 2019-11-18 at 16:19 +1100, Damien Miller wrote:> Hi, > > When we added U2F support, we also extended the interface used by ssh > and ssh-agent to invoke the $SSH_ASKPASS program. > > Originally, the askpass prompt was used to obtain passphrases for ssh > in > cases where it was not possible to read them from the terminal. Later > it was (ab)used for showing confirmation prompts for each use of any > key that was added to the agent using "ssh-add -c". > > For U2F, we now want to show the user a reminder to touch their > security > key (and kill the reminder as soon as they do). So the existing text > box with okay/cancel buttons used by the usual askpass dialogs wasn't > a > great fit. This was the motivation for extending the interface. > > Now, ssh/ssh-agent may set an additional environment variable when > running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not > set, then we want the original passphrase prompt. If the environment > variable is set to "confirm", then this is a hint to display a dialog > for key confirmation (i.e. "ssh-add -c"). The U2F case is supported > by > SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just > show a message w/ optional dismiss/close button. > > I've implemented this for the GTK+/GNOME askpass implementation > we ship in portable OpenSSH's contrib directory: > https://github.com/openssh/openssh-portable/commit/b497e92 > > For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will > now > only show yes/no buttons (instead of the prior textbox + ok/cancel). > For > SSH_ASKPASS_PROMPT=none, it will show just the title and a close > button. > > I'd like help implementing the equivalent feature for the other > askpass > implementations that people use. This includes (especially) Jim > Knoble's > classic x11-ssh-askpass (Jim's site seems to have fallen off the net > though), the Qt implementation and any others that you might know > about.Thanks for heads up. I created issues for the gnome components that implement something like the ssh-askpass interface and that I know about: https://gitlab.gnome.org/GNOME/seahorse/issues/248 https://gitlab.gnome.org/GNOME/gcr/issues/33 If I will have some time, I will check further what needs to be done and whether these are directly used by ssh-agent or other programs. Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.
Jim Knoble
2019-Nov-20 03:30 UTC
help wanted: update ssh-askpass programs for new U2F / prompt hints
My website has fallen off the web. This is a good time for someone else to take over the code for x11-ssh-askpass, as I've not done anything with it for years. I have the original code somewhere if needed, but I think Debian has mirrored it for some time. -- jim knoble> On Nov 18, 2019, at 01:49, Jakub Jelen <jjelen at redhat.com> wrote: > >> On Mon, 2019-11-18 at 16:19 +1100, Damien Miller wrote: >> Hi, >> >> When we added U2F support, we also extended the interface used by ssh >> and ssh-agent to invoke the $SSH_ASKPASS program. >> >> Originally, the askpass prompt was used to obtain passphrases for ssh >> in >> cases where it was not possible to read them from the terminal. Later >> it was (ab)used for showing confirmation prompts for each use of any >> key that was added to the agent using "ssh-add -c". >> >> For U2F, we now want to show the user a reminder to touch their >> security >> key (and kill the reminder as soon as they do). So the existing text >> box with okay/cancel buttons used by the usual askpass dialogs wasn't >> a >> great fit. This was the motivation for extending the interface. >> >> Now, ssh/ssh-agent may set an additional environment variable when >> running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not >> set, then we want the original passphrase prompt. If the environment >> variable is set to "confirm", then this is a hint to display a dialog >> for key confirmation (i.e. "ssh-add -c"). The U2F case is supported >> by >> SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just >> show a message w/ optional dismiss/close button. >> >> I've implemented this for the GTK+/GNOME askpass implementation >> we ship in portable OpenSSH's contrib directory: >> https://github.com/openssh/openssh-portable/commit/b497e92 >> >> For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will >> now >> only show yes/no buttons (instead of the prior textbox + ok/cancel). >> For >> SSH_ASKPASS_PROMPT=none, it will show just the title and a close >> button. >> >> I'd like help implementing the equivalent feature for the other >> askpass >> implementations that people use. This includes (especially) Jim >> Knoble's >> classic x11-ssh-askpass (Jim's site seems to have fallen off the net >> though), the Qt implementation and any others that you might know >> about. > > Thanks for heads up. > > I created issues for the gnome components that implement something like > the ssh-askpass interface and that I know about: > > https://gitlab.gnome.org/GNOME/seahorse/issues/248 > https://gitlab.gnome.org/GNOME/gcr/issues/33 > > If I will have some time, I will check further what needs to be done > and whether these are directly used by ssh-agent or other programs. > > Regards, > -- > Jakub Jelen > Senior Software Engineer > Security Technologies > Red Hat, Inc. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Possibly Parallel Threads
- help wanted: update ssh-askpass programs for new U2F / prompt hints
- ssh-askpass should be able to distinguish between a prompt for confirmation and a prompt for an actual passphrase
- [Bug 1871] New: ssh-askpass should be able to distinguish between a prompt for confirmation and a prompt for an actual passphrase
- U2F support in OpenSSH HEAD
- u2f seed