Jim Knoble
2019-Nov-20  03:30 UTC
help wanted: update ssh-askpass programs for new U2F / prompt hints
My website has fallen off the web. This is a good time for someone else to take over the code for x11-ssh-askpass, as I've not done anything with it for years. I have the original code somewhere if needed, but I think Debian has mirrored it for some time. -- jim knoble> On Nov 18, 2019, at 01:49, Jakub Jelen <jjelen at redhat.com> wrote: > >> On Mon, 2019-11-18 at 16:19 +1100, Damien Miller wrote: >> Hi, >> >> When we added U2F support, we also extended the interface used by ssh >> and ssh-agent to invoke the $SSH_ASKPASS program. >> >> Originally, the askpass prompt was used to obtain passphrases for ssh >> in >> cases where it was not possible to read them from the terminal. Later >> it was (ab)used for showing confirmation prompts for each use of any >> key that was added to the agent using "ssh-add -c". >> >> For U2F, we now want to show the user a reminder to touch their >> security >> key (and kill the reminder as soon as they do). So the existing text >> box with okay/cancel buttons used by the usual askpass dialogs wasn't >> a >> great fit. This was the motivation for extending the interface. >> >> Now, ssh/ssh-agent may set an additional environment variable when >> running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not >> set, then we want the original passphrase prompt. If the environment >> variable is set to "confirm", then this is a hint to display a dialog >> for key confirmation (i.e. "ssh-add -c"). The U2F case is supported >> by >> SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just >> show a message w/ optional dismiss/close button. >> >> I've implemented this for the GTK+/GNOME askpass implementation >> we ship in portable OpenSSH's contrib directory: >> https://github.com/openssh/openssh-portable/commit/b497e92 >> >> For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will >> now >> only show yes/no buttons (instead of the prior textbox + ok/cancel). >> For >> SSH_ASKPASS_PROMPT=none, it will show just the title and a close >> button. >> >> I'd like help implementing the equivalent feature for the other >> askpass >> implementations that people use. This includes (especially) Jim >> Knoble's >> classic x11-ssh-askpass (Jim's site seems to have fallen off the net >> though), the Qt implementation and any others that you might know >> about. > > Thanks for heads up. > > I created issues for the gnome components that implement something like > the ssh-askpass interface and that I know about: > > https://gitlab.gnome.org/GNOME/seahorse/issues/248 > https://gitlab.gnome.org/GNOME/gcr/issues/33 > > If I will have some time, I will check further what needs to be done > and whether these are directly used by ssh-agent or other programs. > > Regards, > -- > Jakub Jelen > Senior Software Engineer > Security Technologies > Red Hat, Inc. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Darren Tucker
2019-Nov-20  03:51 UTC
help wanted: update ssh-askpass programs for new U2F / prompt hints
On Wed, 20 Nov 2019 at 14:44, Jim Knoble <jmknoble at pobox.com> wrote:> My website has fallen off the web. This is a good time for someone else to take > over the code for x11-ssh-askpass, as I've not done anything with it for years. > I have the original code somewhere if needed, but I think Debian has mirrored it for some time.There's also a version in OpenBSD's xenocara repo: https://cvsweb.openbsd.org/xenocara/app/ssh-askpass/ -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Philip Hands
2019-Nov-20  16:48 UTC
help wanted: update ssh-askpass programs for new U2F / prompt hints
Darren Tucker <dtucker at dtucker.net> writes:> On Wed, 20 Nov 2019 at 14:44, Jim Knoble <jmknoble at pobox.com> wrote: >> My website has fallen off the web. This is a good time for someone else to take >> over the code for x11-ssh-askpass, as I've not done anything with it for years. >> I have the original code somewhere if needed, but I think Debian has mirrored it for some time. > > There's also a version in OpenBSD's xenocara repo: > https://cvsweb.openbsd.org/xenocara/app/ssh-askpass/Comparing that with my repo for the Debian package: http://git.hands.com/ssh-askpass it seems the OpenBSD version was taken from a 2000 version of Jim's code, whereas Debian's is based off of a later version (2001 -- the latest I'm aware of). Looking at this also reminds me that I've had some minor edits relating to the manual that I've been failing to upload for several years by the looks of it. :-/ I had meant to do a final upload, and then orphan the Debian package, on the basis that I don't use it myself any more ... but apparently failed. If anyone here wants to adopt it (as a Debian package and/or as upstream), or help with the U2F request, I would certainly welcome that, and it looks like Jim would too. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 832 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20191120/1d66c4e1/attachment.asc>