Mailing List Archive

https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #4 from xspielinbox+mindrot@protonmail.com ---
I do not have openssh-askpass installed, but I do have pinentry,
pinentry-gnome3, gnome-keyring and gnome-keyring-pam installed.
$SSH_ASKPASS and SSH_AGENT_PID seem to be unset. $SSH_AUTH_SOCK is set
to: /run/user/1000/keyring/ssh
I am using the default configuration of Fedora Workstation what
SSH-Agent / SSH-Askpass is concerned.
I do get graphical dialogs to unlock my password-protected SSH-Keys
without any issues.
After running ssh-add an additional process is running:
/usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh

I hope this helped. I apologize, if it was useless information. I am
not that familiar with ssh-agent/ssh-askpass workings.

If you need any other information please let me know. I will do my best
to answer.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #5 from Damien Miller <djm@mindrot.org> ---
This looks like it is a problem with how Fedora is running/configuring
ssh-agent. You can test this using something like:

sudo yum install openssh-askpass
env SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass ssh-agent $SHELL
-l
ssh-add ~/.ssh/id_ed25519_sk
ssh-add -T ~/.ssh/id_ed25519_sk.pub

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #6 from bluebird090909@proton.me ---
I didn't have ssh-askpass installed either, but even after installing
it and using the steps above, the result was the same.

Running on Arch Linux:

sudo pacman -S x11-ssh-askpass
env SSH_ASKPASS=/usr/lib/ssh/x11-ssh-askpass ssh-agent $SHELL -l
ssh-add ~/.ssh/id_ed25519_sk
Identity added: /home/user/.ssh/id_ed25519_sk
ssh-add -T ~/.ssh/id_ed25519_sk.pub
Agent signature failed for /home/user/.ssh/id_ed25519_sk.pub: agent
refused operation


Shouldn't entering the pin on the terminal work as well? It works
during key registration at least, so I don't get why ssh-askpass would
be required?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #7 from Damien Miller <djm@mindrot.org> ---
(In reply to bluebird090909 from comment #6)
> I didn't have ssh-askpass installed either, but even after
> installing it and using the steps above, the result was the same.

Well, you didn't follow my instructions so that's not surprising.

> Running on Arch Linux:
>
> sudo pacman -S x11-ssh-askpass
> env SSH_ASKPASS=/usr/lib/ssh/x11-ssh-askpass ssh-agent $SHELL -l

That's not the right path. I had the correct path in the instructions
in comment #5. Try replacing /usr/lib/ssh/x11-ssh-askpass with
/usr/libexec/openssh/x11-ssh-askpass.

> Shouldn't entering the pin on the terminal work as well? It works
> during key registration at least, so I don't get why ssh-askpass
> would be required?

Because ssh-agent is a daemon process that isn't connected to the
terminal.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #8 from bluebird090909@proton.me ---
The path /usr/libexec/ does not exist on arch linux but
/usr/lib/ssh/x11-ssh-askpass is available

However I did manage to get the pin entry to work on arch using the
x11-ssh-askpass package on a fresh arch installation.

Your instructions also worked on a fresh Debian Bookworm after
installing the ssh-askpass-gnome package and I can use the agent with
the fido2 key and pin verification.

In both cases I had to define SSH_ASKPASS first.


Eventually I found out that the reason ssh-askpass didn't work
initially on my arch setup was because I had this set in my bashrc:

export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"

while I also had this systemd service:

[Unit]
Description=SSH key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -t 1h -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target

Removing this export from my bashrc results in ssh-askpass successfully
requesting the pin. (And I'm very confused why that is)
Note that SSH_AUTH_SOCK is available as environment variable in both
cases, but setting it in bashrc seems to prevent askpass from working
for some reason.

To conclude, setting SSH_ASKPASS allows the agent to successfully
request the pin when using fido2 keys with verify-required

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3572

--- Comment #9 from xspielinbox+mindrot@protonmail.com ---
(In reply to Damien Miller from comment #5)
> This looks like it is a problem with how Fedora is
> running/configuring ssh-agent. You can test this using something
> like:
>
> sudo yum install openssh-askpass
> env SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass ssh-agent
> $SHELL -l
> ssh-add ~/.ssh/id_ed25519_sk
> ssh-add -T ~/.ssh/id_ed25519_sk.pub

Sorry, for the delay. I did quite some testing:

I first tried the test as is without openssh-askpass installed:

When just running $ ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub
I get a (gnome-builtin) graphical dialog prompting for the
password/passphrase of the key, then have to tap the authenticator and
the shell prompt returns (so it is successful).
When testing it again, it has remembered the passphrase, and I only
have to tap the authenticator.
$ ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub
results in the same graphical dialog for the password/passphrase, but
after that it just fails with:
"Agent signature failed for [full path of key]: agent refused
operation"
One never get's the opportunity to tap the authenticator or enter the
pin for user verification. The authenticator also never lights up to
indicate that user interaction is required.

When adding the keys to the ssh-agent:
$ ssh-add ~/.ssh/id_ed25519_sk-pin
Enter passphrase for [full path of key]:
Identity added: [full path of key] (pin)
$ ssh-add ~/.ssh/id_ed25519_sk-verify-pin
Enter passphrase for [full path of key]:
Identity added: [full path of key] (verify-pin)

I always get the prompt for the passphrase in the terminal and also
have to enter it, even if I already entered it in the graphical dialog
or ran ssh-add already before. When after that testing the signatures
again with ssh-add -T nothing has changed. I still have to enter the
password/passphrase in the graphical dialog, when I ran ssh-add -D or
killing the ssh-agent before adding the the keys to the ssh-agent.
Verification succeeds for the key with the pin, but not for the one,
with verify-required.


After installing the openssh-askpass package, echo $SSH_ASKPASS
returns:
/usr/libexec/openssh/gnome-ssh-askpass
This binary also does indeed exist.

After running env SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
ssh-agent $SHELL -l
there is an additional process running: ssh-agent /bin/bash -l
For every time, I run this command, an additional process get's
created.

When row running: ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub or ssh-add -T
~/.ssh/id_ed25519_sk-verify-pin.pub
I get: "Agent signature failed for [full path of key]: agent refused
operation"
It does not prompt me for the passphrase anymore.

$ ssh-add -L
returns: "The agent has no identities.", whereas the default agent has
all identities from the hard disk preloaded, even when the first
ssh-add command I enter is ssh-add -L. When opening a new terminal
windows, it again defaults to the default agent and I have to manually
execute above command again to enable openssh-askpass.

I first have to add the keys to the agent with ssh-add as above and
when then running $ ssh-add -T ~/.ssh/id_ed25519_sk-pin.pub
after a tap on the authenticator the shell prompt returns (so it is
successful).
But $ ssh-add -T ~/.ssh/id_ed25519_sk-verify-pin.pub
still fails with:
"Agent signature failed for [full path of key]: agent refused
operation"
When checking with ssh-add -L, one can see that the latter key also was
not added to the agent, despite the ssh-add command not giving an error
(though also not asking for the pin, as it should have).

Also: when running ssh-add ~/.ssh/id_ed25519_sk-pin or ssh-add
~/.ssh/id_ed25519_sk-verify-pin
just hitting enter directly and not entering any passphrase seems to
abort it the same way as doing a keyboard interrupt. It does not show
the message of a bad passphrase, and there is no new key shown in
ssh-add -L

When then running ssh-add after killing the ssh-agent I receive "Error
connecting to agent: No such file or directory". I have to rerun env
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass ssh-agent $SHELL -l
before the error goes away. When opening a new terminal window or
exiting the new login shell, the command creates, this error disappears
too.

After some wild testing in different terminal tabs, I somehow then got
to a point, that now, when running ssh-add
~/.ssh/id_ed25519_sk-verify-pin it adds the key to the ssh-agent, even
though it did not prompt for a pin.
When having added the key to the ssh-agent and then running the
signature test, it now shows a (gnome-builtin) graphical dialog, that
openssh-askpass wants to inhibit shortcuts. When allowing that, I get
to see a new application window "openssh" that asks me to confirm user
presence for the respective key and in case of the verfiy-pin key also
asks me to enter the PIN.
For the pin key, it succeeds after taping the authenticator, but for
the verify-pin key no matter what I enter as the pin (the actual FIDO2
pin of the authenticator, something completely wrong, nothing or the
passphrase of the key), it immediately fails with "Agent signature
failed for [full path of key]: agent refused operation", not even
giving me any chance to confirm my user presence. trying to confirm the
user presence before entering the pin also does not work. In fact, the
autenticator never lights up the light to indicate, that interaction is
required.

I don't have anything SSH-related in my ~/.bashrc, /etc/bashrc,
/etc/profile or ~/.bash_profile.
There also isn't any ssh-askpass or ssh-agent related systemd service
on Fedora.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs