openssh unix dev - Oct 2023 - ssh-agent hides sk "confirm user presence" message

On Mon, 16 Oct 2023, openssh at tr.id.au wrote:
> Hey there,
> 
> I've noticed some unexpected behavior when I occasionally need to
forward an ed25519-sk key with ssh-agent. When using the key without an agent,
it prompts with a reminder to touch the key:
> 
> $ ssh user at remote
> Confirm user presence for key ED25519-SK
MD5:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
> User presence confirmed
> 
> But as soon as I add the key to an agent, it now hides that reminder:
> 
> $ ssh-agent /bin/bash
> $ ssh-add /path/to/key
> Identity added: /path/to/key (ssh:keyname)
> $ ssh user at remote
> <key starts blinking but no reminder to touch it>
> 
> I first noticed it when forwarding the agent, but it's reproducible
locally without forwarding required.
> 
> Some people might prefer to keep the message hidden, which would be okay by
me if I could choose to toggle it on. I don't see any options in the various
openssh manpages to allow that though. It also seems inconsistent with the
expectations set when I use the key without an agent.
> 
> Could you consider adding an option which would allow forcing the message
to appear when used with an agent? I think an argument could be made this should
be the default behavior, but I'm not going to die on that hill, I'd be
content with a configurable toggle.
Generally we prefer to use ssh-askpass for agent notifications. Are you able to
use that?

-d

Hey Damien,
> Generally we prefer to use ssh-askpass for agent notifications. Are you
able to use that?
Hmm, okay, but it's not clear to me how to make that work. Is what you have
in mind documented somewhere? I don't see this specific situation covered in
the manpages and a web search doesn't turn up much.

I thought ssh-askpass was only invoked when the key is first added to the agent.
To be clear, my ed25519-sk key does add to the agent successfully with no
presence required at that time. It is only later, when the client goes to use
the key, that a presence challenge is issued.

If ssh-add issued an immediate challenge and then "cached" the user
presence, I might see how ssh-askpass could get involved. And maybe that would
even be preferable, if I only had to touch once at the start of a session and
then not have to demonstrate user presence again until the key is removed. But
that isn't the situation I'm describing. The situation is that no user
presence is required when adding the key, but it is required later when
ssh-askpass isn't involved (iiuc.)

Is there something I've overlooked or misunderstanding?

~ Tim

On 16.10.23 04:59, Damien Miller wrote:
> On Mon, 16 Oct 2023, openssh at tr.id.au wrote:
>> When using the key without an agent, it prompts with a reminder to
touch the key:
>>
>> $ ssh user at remote
>> Confirm user presence for key ED25519-SK
MD5:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
[...]
>> But as soon as I add the key to an agent, it now hides that reminder
> 
> Generally we prefer to use ssh-askpass for agent notifications.
*Which* ssh-askpass, OpenBSD's (with the "LEDs" underneath and
"only"
the usual range of X11 options), GNOME's (which doesn't react to 
"--help", "-h", or "-?", and doesn't seem to
have a manpage, either), or
KDE's (with a selection of possible options, including "--help", 
"--author", "--license", and Qt-specific ones)?

As far as I know, they would all require a (in the OP's use case, 
*second*) user interaction to close them again, and are pretty much 
unusable for any *multiline* notifications (say, something similar to 
"VisualHostKey=yes") ...

However, IIUC the real problem with the OP's request is that it is 
indeed the *agent* asking (or not ...) the user to complete the 
authentication, whereas in the empty-agent version, it's the *ssh* 
command - which *is* connected to a terminal - doing so. Hence, the 
prompt is not exactly "hidden", but doesn't readily *have* a place
to
show up in.

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20231016/234d9633/attachment.p7s>