Mailing List Archive

help wanted: update ssh-askpass programs for new U2F / prompt hints
Hi,

When we added U2F support, we also extended the interface used by ssh
and ssh-agent to invoke the $SSH_ASKPASS program.

Originally, the askpass prompt was used to obtain passphrases for ssh in
cases where it was not possible to read them from the terminal. Later
it was (ab)used for showing confirmation prompts for each use of any
key that was added to the agent using "ssh-add -c".

For U2F, we now want to show the user a reminder to touch their security
key (and kill the reminder as soon as they do). So the existing text
box with okay/cancel buttons used by the usual askpass dialogs wasn't a
great fit. This was the motivation for extending the interface.

Now, ssh/ssh-agent may set an additional environment variable when
running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not
set, then we want the original passphrase prompt. If the environment
variable is set to "confirm", then this is a hint to display a dialog
for key confirmation (i.e. "ssh-add -c"). The U2F case is supported by
SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just
show a message w/ optional dismiss/close button.

I've implemented this for the GTK+/GNOME askpass implementation
we ship in portable OpenSSH's contrib directory:
https://github.com/openssh/openssh-portable/commit/b497e92

For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will now
only show yes/no buttons (instead of the prior textbox + ok/cancel). For
SSH_ASKPASS_PROMPT=none, it will show just the title and a close button.

I'd like help implementing the equivalent feature for the other askpass
implementations that people use. This includes (especially) Jim Knoble's
classic x11-ssh-askpass (Jim's site seems to have fallen off the net
though), the Qt implementation and any others that you might know about.

Thanks,
Damien
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: help wanted: update ssh-askpass programs for new U2F / prompt hints [ In reply to ]
On Mon, 2019-11-18 at 16:19 +1100, Damien Miller wrote:
> Hi,
>
> When we added U2F support, we also extended the interface used by ssh
> and ssh-agent to invoke the $SSH_ASKPASS program.
>
> Originally, the askpass prompt was used to obtain passphrases for ssh
> in
> cases where it was not possible to read them from the terminal. Later
> it was (ab)used for showing confirmation prompts for each use of any
> key that was added to the agent using "ssh-add -c".
>
> For U2F, we now want to show the user a reminder to touch their
> security
> key (and kill the reminder as soon as they do). So the existing text
> box with okay/cancel buttons used by the usual askpass dialogs wasn't
> a
> great fit. This was the motivation for extending the interface.
>
> Now, ssh/ssh-agent may set an additional environment variable when
> running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not
> set, then we want the original passphrase prompt. If the environment
> variable is set to "confirm", then this is a hint to display a dialog
> for key confirmation (i.e. "ssh-add -c"). The U2F case is supported
> by
> SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just
> show a message w/ optional dismiss/close button.
>
> I've implemented this for the GTK+/GNOME askpass implementation
> we ship in portable OpenSSH's contrib directory:
> https://github.com/openssh/openssh-portable/commit/b497e92
>
> For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will
> now
> only show yes/no buttons (instead of the prior textbox + ok/cancel).
> For
> SSH_ASKPASS_PROMPT=none, it will show just the title and a close
> button.
>
> I'd like help implementing the equivalent feature for the other
> askpass
> implementations that people use. This includes (especially) Jim
> Knoble's
> classic x11-ssh-askpass (Jim's site seems to have fallen off the net
> though), the Qt implementation and any others that you might know
> about.

Thanks for heads up.

I created issues for the gnome components that implement something like
the ssh-askpass interface and that I know about:

https://gitlab.gnome.org/GNOME/seahorse/issues/248
https://gitlab.gnome.org/GNOME/gcr/issues/33

If I will have some time, I will check further what needs to be done
and whether these are directly used by ssh-agent or other programs.

Regards,
--
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: help wanted: update ssh-askpass programs for new U2F / prompt hints [ In reply to ]
My website has fallen off the web. This is a good time for someone else to take over the code for x11-ssh-askpass, as I've not done anything with it for years. I have the original code somewhere if needed, but I think Debian has mirrored it for some time.

--
jim knoble


> On Nov 18, 2019, at 01:49, Jakub Jelen <jjelen@redhat.com> wrote:
>
>> On Mon, 2019-11-18 at 16:19 +1100, Damien Miller wrote:
>> Hi,
>>
>> When we added U2F support, we also extended the interface used by ssh
>> and ssh-agent to invoke the $SSH_ASKPASS program.
>>
>> Originally, the askpass prompt was used to obtain passphrases for ssh
>> in
>> cases where it was not possible to read them from the terminal. Later
>> it was (ab)used for showing confirmation prompts for each use of any
>> key that was added to the agent using "ssh-add -c".
>>
>> For U2F, we now want to show the user a reminder to touch their
>> security
>> key (and kill the reminder as soon as they do). So the existing text
>> box with okay/cancel buttons used by the usual askpass dialogs wasn't
>> a
>> great fit. This was the motivation for extending the interface.
>>
>> Now, ssh/ssh-agent may set an additional environment variable when
>> running the askpass program: $SSH_ASKPASS_PROMPT. If the value is not
>> set, then we want the original passphrase prompt. If the environment
>> variable is set to "confirm", then this is a hint to display a dialog
>> for key confirmation (i.e. "ssh-add -c"). The U2F case is supported
>> by
>> SSH_ASKPASS_PROMPT=none - which hints to the askpass program to just
>> show a message w/ optional dismiss/close button.
>>
>> I've implemented this for the GTK+/GNOME askpass implementation
>> we ship in portable OpenSSH's contrib directory:
>> https://github.com/openssh/openssh-portable/commit/b497e92
>>
>> For SSH_ASKPASS_PROMPT=confirm, the gnome-ssh-askpass program will
>> now
>> only show yes/no buttons (instead of the prior textbox + ok/cancel).
>> For
>> SSH_ASKPASS_PROMPT=none, it will show just the title and a close
>> button.
>>
>> I'd like help implementing the equivalent feature for the other
>> askpass
>> implementations that people use. This includes (especially) Jim
>> Knoble's
>> classic x11-ssh-askpass (Jim's site seems to have fallen off the net
>> though), the Qt implementation and any others that you might know
>> about.
>
> Thanks for heads up.
>
> I created issues for the gnome components that implement something like
> the ssh-askpass interface and that I know about:
>
> https://gitlab.gnome.org/GNOME/seahorse/issues/248
> https://gitlab.gnome.org/GNOME/gcr/issues/33
>
> If I will have some time, I will check further what needs to be done
> and whether these are directly used by ssh-agent or other programs.
>
> Regards,
> --
> Jakub Jelen
> Senior Software Engineer
> Security Technologies
> Red Hat, Inc.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: help wanted: update ssh-askpass programs for new U2F / prompt hints [ In reply to ]
On Wed, 20 Nov 2019 at 14:44, Jim Knoble <jmknoble@pobox.com> wrote:
> My website has fallen off the web. This is a good time for someone else to take
> over the code for x11-ssh-askpass, as I've not done anything with it for years.
> I have the original code somewhere if needed, but I think Debian has mirrored it for some time.

There's also a version in OpenBSD's xenocara repo:
https://cvsweb.openbsd.org/xenocara/app/ssh-askpass/

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: help wanted: update ssh-askpass programs for new U2F / prompt hints [ In reply to ]
Darren Tucker <dtucker@dtucker.net> writes:

> On Wed, 20 Nov 2019 at 14:44, Jim Knoble <jmknoble@pobox.com> wrote:
>> My website has fallen off the web. This is a good time for someone else to take
>> over the code for x11-ssh-askpass, as I've not done anything with it for years.
>> I have the original code somewhere if needed, but I think Debian has mirrored it for some time.
>
> There's also a version in OpenBSD's xenocara repo:
> https://cvsweb.openbsd.org/xenocara/app/ssh-askpass/

Comparing that with my repo for the Debian package:

http://git.hands.com/ssh-askpass

it seems the OpenBSD version was taken from a 2000 version of Jim's
code, whereas Debian's is based off of a later version (2001 -- the
latest I'm aware of).

Looking at this also reminds me that I've had some minor edits relating
to the manual that I've been failing to upload for several years by the
looks of it. :-/

I had meant to do a final upload, and then orphan the Debian package, on
the basis that I don't use it myself any more ... but apparently failed.

If anyone here wants to adopt it (as a Debian package and/or as
upstream), or help with the U2F request, I would certainly welcome that,
and it looks like Jim would too.

Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd.
|-| http://www.hands.com/ http://ftp.uk.debian.org/
|(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY