Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pivy-agent: use ssh-askpass to obtain the PIN #25

Open
FiloSottile opened this issue Apr 25, 2020 · 5 comments
Open

pivy-agent: use ssh-askpass to obtain the PIN #25

FiloSottile opened this issue Apr 25, 2020 · 5 comments

Comments

@FiloSottile
Copy link

It's unfortunate that one needs to remember to provide the PIN with ssh-add -X at every reboot. If ssh-askpass is available, pivy-agent could use it to obtain the PIN from the user while the signing request is pending.

(I also assume there is no way for the agent to ask the client to provide a passphrase when a signature was requested, otherwise pivy-agent should definitely do that.)
@arekinath
Copy link
Owner

Yeah, the ssh-agent protocol doesn't give any way for the agent to ask for creds through the thing that's connected to it, unfortunately.

Supporting an askpass program is a good idea, though. I've been thinking of doing that anyway, and also perhaps supporting desktop notification when we have a YubiKey attached which is waiting for touch confirm (if we can easily tell that the slot requires touch confirm, like on 5.3.x firmware -- though we can tell on earlier devices if we ask for an attestation cert at startup too)

@arekinath
Copy link
Owner

This is available on my fork now (https://github.com/arekinath/pivy) in the 0.6.0 release

@rdslw
Copy link

rdslw commented Nov 22, 2020

@arekinath can you point me how to achieve desktop notification on yubi asking to touch?

@arekinath
Copy link
Owner

arekinath commented Nov 23, 2020
edited
Loading

@rdslw Support specifically for the "touch is needed" detection popup will be in the next release, hopefully (I added the framework to support it in 4c77dc1 but it's not in the agent code yet). Currently what's supported is "SSH_ASKPASS" (whenever an attempt to use the agent which would normally fail due to lack of a cached PIN, we run a program in that env var to prompt the user for that PIN), and "SSH_CONFIRM" where we run a program (e.g. zenity) on each use of the agent by a new client to confirm it -- this latter feature also supports a "forwarded confirmation" mode where forwarded agent requests (sent from a remote host via ssh -A etc) are subject to confirmation but not local ones.

To use it you just have to set these environment variables before starting pivy-agent (that will activate the askpass feature) and use either -C or -CC to enable confirmation. The "touch is needed" popup will be similar -- a command to run in an environment variable (I don't intend to require an option for that one).

@rdslw
Copy link

rdslw commented Jan 1, 2021

Thanks @arekinath. One quick question: when do you plan to have new release with touch is needed capability?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arekinath @FiloSottile @rdslw