Bug 1871

Summary:

ssh-askpass should be able to distinguish between a prompt for confirmation and a prompt for an actual passphrase

Product:

Portable OpenSSH

Reporter:

Daniel Kahn Gillmor <dkg>

Component:

Miscellaneous

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

djm, maxigas, olfway

Priority:

Version:

5.8p1

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

3079

Attachments:

Description	Flags
patch to contrib/gnome-ssh-askpass2.c implementing these changes	none
set SSH_ASKPASS_CONFIRMATION_ONLY when just asking for permission	none

Description Daniel Kahn Gillmor 2011-02-25 08:41:55 AEDT

currently, ssh-askpass is used in some situations to actually ask the user for a passphrase.

in other situations, it is used to prompt for simple confirmation (e.g. ControlMaster=ask, ssh-add -c).

Providing the exact same UI for both scenarios is not only surprising for new users; it is also potentially problematic.

For example, grabbing the X11 keyboard is a pretty invasive operation (and it is warranted, to avoid other X processes snooping on the passphrase).  A prompt for confirmation doesn't need to grab the keyboard, though.

I'm proposing to extend the ssh-askpass interface with an environment variable SSH_ASKPASS_CONFIRMATION_ONLY.  If this environment variable is set, the ssh-askpass can choose to display a simpler/non-kbd-grabbing UI.  ssh, ssh-add, and ssh-agent would need to know to set or clear that environment variable depending on the type of prompt.

Another approach would be to define a command line argument, but existing ssh-agent implementations appear to treat multiple arguments differently (e.g. gnome-ssh-askpass concatenates them all into the string prompt; jim knoble's x11-ssh-askpass accepts old-school X11-style arguments).  So an environment variable seems cleaner.

This would be an optional UI enhancement -- ssh-askpass implementations that don't know about it or don't care would't need to make any changes.

Comment 1 Daniel Kahn Gillmor 2011-02-25 09:24:02 AEDT

Created attachment 2003 [details]
patch to contrib/gnome-ssh-askpass2.c implementing these changes

here's a patch implementing this behavior in contrib/gnome-ssh-askpass2.c (does anyone really use gnome1 any more?  should we remove contrib/gnome-ssh-askpass1.c?)

This patch looks noisy, but most of it is just doing proper indenting, so it's whitespace-only changes.

Comment 2 Daniel Kahn Gillmor 2011-02-25 10:00:35 AEDT

Created attachment 2004 [details]
set SSH_ASKPASS_CONFIRMATION_ONLY when just asking for permission

And here is the fix so that ssh sets the environment variable correctly when invoking ssh-askpass.

Comment 3 maxigas 2011-03-19 10:25:17 AEDT

It is awfully confusing indeed.  I was trying several times before realising what was going on.  :o

Comment 4 Pavel Volkovitskiy 2014-04-02 04:12:19 AEDT

Any news on that?

Comment 5 Damien Miller 2020-01-26 00:52:01 AEDT

OpenSSH 8.2 sets a $SSH_ASKPASS_PROMPT environment variable that implements this feature. SSH_ASKPASS_PROMPT=confirm indicates a yes/no confirmation dialog, SSH_ASKPASS_PROMPT=none indicates an informational dialog and everything else is a regular passphrase request.

the contrib/gnome-ssh-askpass implementation has been updated to support these.

Comment 6 Damien Miller 2021-03-04 09:53:24 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle