Just like ssh can ask for a password via the SSH_ASKPASS hook, it would be extremely useful if ssh would have a hook to ask for authorization of a machine key via some external command hook. If there isn't a valid TTY, ssh will fail if the user has never logged into a particular machine as there is no way to ask the user if it a particular machine has acceptably identified itself.
I like this idea - we could probably reuse most of the askpass code to obtain the answer (which should still IMO require the _typing_ of "yes").
Created attachment 10 [details] like this?
It wouldn't be too difficult to massage x11-ssh-askpass to provide a real sort of "yes-or-no" functionality, as long as we all agree on how to tell ssh-askpass to "be a yes-or-no dialog instead of a passphrase dialog". Then again, xmessage works for that sort of thing already; a shell wrapper around it would be even easier....
The patch is nice and shorter too. The "yes"/"no" response won't be visible in the SSH_ASKPASS program, but I don't think this is a major problem. Perhaps we could arrange some standard way to tell the askpass to echo (cmdline arg?) CCing jmknoble@pobox.com as the author of x11-ssh-askpass
oops - I failed to see that Jim was already reading this. I wouldn't want a click-for-accept-this-key dialog box. Forcing people to type "yes" has a hope of making them stop and think for a second or two about the validity of the key.
Markus committed support for this a couple of days back and I merged it into portable last night. Open a seperate bugs if there are any issues with it.
Mass change of RESOLVED bugs to CLOSED