Hi!
There are quite some folks out there who use GnuPG's implementation of
the ssh-agent which we implemented about 15 years ago. It nicely fits
into the OpenPGP framework and we even have support for several
smartcards and tokens. In fact the standard OpenPGP card is be default
created with an authentication key to be used with ssh.
So far, so good. There is one annoying thing which we can only properly
solve by adding code to ssh. The problem is that if you switch between
different X-servers or ttys, gpg-agent does not know where to popup the
passphrase or PIN entry dialog. For example I am either working on
laptop directly or using an X server to work on that laptop. So when
switching between these devices I am meanwhile very accustomed to run
the command "gpg-connect-agent updatestartuptty /bye" to tell
gpg-agent
the default tty or display it shall use by default. With gpg etc the
default is not used because gpg tells gpg-agent via its own IPC a number
of envvar values.
It would be very cool to get rid of this and so I hacked gpg-agent and
openssh to convet the required envvars via the ssh agent protocols
(according to draft-miller-ssh-agent-04 which is expired, but who
cares).
The new extension mechanism from this protocol is used; the details
should be easyl available from the attached patch. However, I can
describe them in another post.
The visisble change in ssh is a new option:
AgentEnv
Specifies what variables from the local environ(7) should be sent to
a running ssh-agent(1). The agent may use these environment
variables at its own discretion. Note that patterns for the
variable names are not supported. To empty the list of previously
set AgentEnv variable names the special name "-" may be used. To
ignore all further set names use the special name "#". To ask the
agent for a list of names to send use "auto" as the first and only
item.
The default is not to send any environment variables to the agent.
The rationale for the "-" thingy is to allow a config file to override
what for example the command line has already set. The "#" can be
used
to disable a globally set option from the commandline or ~/.ssh/config.
On a GnuPG system you would usually have
AgentEnv auto
in ssh_config. "auto" reads the envvars known by GnuPG and sends
their
values back. This is easier than to list them as arguments to AgentEnv.
GnuPG from Git is required but if things go smoothly we may even
backport this to the stable GnuPG 2.2 version.
I have not implemented that feature yet for ssh-add and ssh-keygen
because both don't parse ssh_config and thus this needs more thinking.
Anyway for everydays use it is enough to have this in ssh.
Please let me know whether this patch (against yesterday's Git) might be
acceptable to be included into the portable or upstream OpenSSH version.
Comments on the code are also appreciated. I merely followed the
existing style. I noticed that there are some ways to improve it but
that might me more intrusive as this change.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Allow-sending-envrionment-variables-to-the-agent.patch
Type: text/x-diff
Size: 14532 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210125/36770bf4/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210125/36770bf4/attachment-0001.asc>
On 2021-01-25T22:42:36+01:00, Werner Koch wrote:> Hi! > > There are quite some folks out there who use GnuPG's implementation of > the ssh-agent which we implemented about 15 years ago. It nicely fits > into the OpenPGP framework and we even have support for several > smartcards and tokens. In fact the standard OpenPGP card is be default > created with an authentication key to be used with ssh. > > So far, so good. There is one annoying thing which we can only properly > solve by adding code to ssh. The problem is that if you switch between > different X-servers or ttys, gpg-agent does not know where to popup the > passphrase or PIN entry dialog. For example I am either working on > laptop directly or using an X server to work on that laptop. So when > switching between these devices I am meanwhile very accustomed to run > the command "gpg-connect-agent updatestartuptty /bye" to tell gpg-agent > the default tty or display it shall use by default. With gpg etc the > default is not used because gpg tells gpg-agent via its own IPC a number > of envvar values.Doesn't ssh-agent have this same problem with confirmation-constrained keys (`ssh-add -c`)? How does the ssh-askpass process invoked by ssh-agent present the confirmation prompt on the correct tty or display? -Richard> > It would be very cool to get rid of this and so I hacked gpg-agent and > openssh to convet the required envvars via the ssh agent protocols > (according to draft-miller-ssh-agent-04 which is expired, but who > cares). > > The new extension mechanism from this protocol is used; the details > should be easyl available from the attached patch. However, I can > describe them in another post. > > The visisble change in ssh is a new option: > > AgentEnv > > Specifies what variables from the local environ(7) should be sent to > a running ssh-agent(1). The agent may use these environment > variables at its own discretion. Note that patterns for the > variable names are not supported. To empty the list of previously > set AgentEnv variable names the special name "-" may be used. To > ignore all further set names use the special name "#". To ask the > agent for a list of names to send use "auto" as the first and only > item. > > The default is not to send any environment variables to the agent. > > The rationale for the "-" thingy is to allow a config file to override > what for example the command line has already set. The "#" can be used > to disable a globally set option from the commandline or ~/.ssh/config. > On a GnuPG system you would usually have > > AgentEnv auto > > in ssh_config. "auto" reads the envvars known by GnuPG and sends their > values back. This is easier than to list them as arguments to AgentEnv. > GnuPG from Git is required but if things go smoothly we may even > backport this to the stable GnuPG 2.2 version. > > I have not implemented that feature yet for ssh-add and ssh-keygen > because both don't parse ssh_config and thus this needs more thinking. > Anyway for everydays use it is enough to have this in ssh. > > Please let me know whether this patch (against yesterday's Git) might be > acceptable to be included into the portable or upstream OpenSSH version. > Comments on the code are also appreciated. I merely followed the > existing style. I noticed that there are some ways to improve it but > that might me more intrusive as this change. > > > Salam-Shalom, > > Werner