3320 – Authentication hangs when SSH_ASKPASS_REQUIRE=prefer and remote host key fingerprint isn't known

Bug 3320 - Authentication hangs when SSH_ASKPASS_REQUIRE=prefer and remote host key fingerprint isn't known

Summary: Authentication hangs when SSH_ASKPASS_REQUIRE=prefer and remote host key fing...

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	8.6p1
Hardware:	amd64 Mac OS X

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-06-16 06:03 AEST by Jack Foy
Modified:	2021-08-27 13:27 AEST (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jack Foy 2021-06-16 06:03:52 AEST

Hello,

I set SSH_ASKPASS_REQUIRE=prefer so that git would use SSH_ASKPASS to pull passphrases from an external keychain, even when run interactively. I've unblocked myself from the problem below by setting SSH_ASKPASS_REQUIRE only from .gitconfig.


Later, I discovered that with SSH_ASKPASS_REQUIRE=prefer, ssh hangs when connecting to a new host. `ssh -v` shows the following, repeated:


debug1: read_passphrase: requested to askpass
debug1: read_passphrase: requested to askpass
debug1: read_passphrase: requested to askpass


After amending the custom askpass program to show its argv on stderr:


debug1: read_passphrase: requested to askpass
argv: The authenticity of host 'testhost (10.1.10.10)' can't be established.
ED25519 key fingerprint is SHA256:<deleted>.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?
debug1: read_passphrase: requested to askpass
argv: Please type 'yes', 'no' or the fingerprint:
debug1: read_passphrase: requested to askpass
argv: Please type 'yes', 'no' or the fingerprint:
debug1: read_passphrase: requested to askpass
argv: Please type 'yes', 'no' or the fingerprint:
debug1: read_passphrase: requested to askpass
argv: Please type 'yes', 'no' or the fingerprint:


It looks like all interactive input goes through read_passphrase() in readpass.c, whether or not it's a credential. Is this intentional?

Possibly related:
https://bugzilla.mindrot.org/show_bug.cgi?id=3314
https://bugzilla.mindrot.org/show_bug.cgi?id=3226

Comment 1 Damien Miller 2021-08-27 13:27:09 AEST

I can't replicate this on openssh-8.6 or 8.7 (on Linux/OpenBSD) and the common X11 askpass programs.

> It looks like all interactive input goes through read_passphrase() in 
> readpass.c, whether or not it's a credential. Is this intentional?

Yes - read_passphrase(), despite its name, supports reading both secret and public strings from the user. It's completely intentional, as it is the central place that decides whether to invoke SSH_ASKPASS or to read from the TTY.

If I had to guess what is going wrong in your case: your SSH_ASKPASS program is probably returning something other than strictly "yes", "no" or the key fingerprint and so you're repeatedly going around the loop inside sshconnect.c:confirm()