On 2021-01-25T22:42:36+01:00, Werner Koch wrote:> Hi!
>
> There are quite some folks out there who use GnuPG's implementation of
> the ssh-agent which we implemented about 15 years ago. It nicely fits
> into the OpenPGP framework and we even have support for several
> smartcards and tokens. In fact the standard OpenPGP card is be default
> created with an authentication key to be used with ssh.
>
> So far, so good. There is one annoying thing which we can only properly
> solve by adding code to ssh. The problem is that if you switch between
> different X-servers or ttys, gpg-agent does not know where to popup the
> passphrase or PIN entry dialog. For example I am either working on
> laptop directly or using an X server to work on that laptop. So when
> switching between these devices I am meanwhile very accustomed to run
> the command "gpg-connect-agent updatestartuptty /bye" to tell
gpg-agent
> the default tty or display it shall use by default. With gpg etc the
> default is not used because gpg tells gpg-agent via its own IPC a number
> of envvar values.
Doesn't ssh-agent have this same problem with confirmation-constrained keys
(`ssh-add -c`)? How does the ssh-askpass process invoked by ssh-agent present
the confirmation prompt on the correct tty or display?
-Richard
>
> It would be very cool to get rid of this and so I hacked gpg-agent and
> openssh to convet the required envvars via the ssh agent protocols
> (according to draft-miller-ssh-agent-04 which is expired, but who
> cares).
>
> The new extension mechanism from this protocol is used; the details
> should be easyl available from the attached patch. However, I can
> describe them in another post.
>
> The visisble change in ssh is a new option:
>
> AgentEnv
>
> Specifies what variables from the local environ(7) should be sent to
> a running ssh-agent(1). The agent may use these environment
> variables at its own discretion. Note that patterns for the
> variable names are not supported. To empty the list of previously
> set AgentEnv variable names the special name "-" may be
used. To
> ignore all further set names use the special name "#". To
ask the
> agent for a list of names to send use "auto" as the first
and only
> item.
>
> The default is not to send any environment variables to the agent.
>
> The rationale for the "-" thingy is to allow a config file to
override
> what for example the command line has already set. The "#" can
be used
> to disable a globally set option from the commandline or ~/.ssh/config.
> On a GnuPG system you would usually have
>
> AgentEnv auto
>
> in ssh_config. "auto" reads the envvars known by GnuPG and sends
their
> values back. This is easier than to list them as arguments to AgentEnv.
> GnuPG from Git is required but if things go smoothly we may even
> backport this to the stable GnuPG 2.2 version.
>
> I have not implemented that feature yet for ssh-add and ssh-keygen
> because both don't parse ssh_config and thus this needs more thinking.
> Anyway for everydays use it is enough to have this in ssh.
>
> Please let me know whether this patch (against yesterday's Git) might
be
> acceptable to be included into the portable or upstream OpenSSH version.
> Comments on the code are also appreciated. I merely followed the
> existing style. I noticed that there are some ways to improve it but
> that might me more intrusive as this change.
>
>
> Salam-Shalom,
>
> Werner