pivy icon indicating copy to clipboard operation
pivy copied to clipboard

Published 20 hours ago verified publisher icon arekinath

pivy-agent: use ssh-askpass to obtain the PIN

Open FiloSottile opened this issue 4 years ago • 5 comments

It's unfortunate that one needs to remember to provide the PIN with ssh-add -X at every reboot. If ssh-askpass is available, pivy-agent could use it to obtain the PIN from the user while the signing request is pending.

(I also assume there is no way for the agent to ask the client to provide a passphrase when a signature was requested, otherwise pivy-agent should definitely do that.)

FiloSottile avatar Apr 25 '20 16:04 FiloSottile

Yeah, the ssh-agent protocol doesn't give any way for the agent to ask for creds through the thing that's connected to it, unfortunately.

Supporting an askpass program is a good idea, though. I've been thinking of doing that anyway, and also perhaps supporting desktop notification when we have a YubiKey attached which is waiting for touch confirm (if we can easily tell that the slot requires touch confirm, like on 5.3.x firmware -- though we can tell on earlier devices if we ask for an attestation cert at startup too)

arekinath avatar Apr 26 '20 23:04 arekinath

This is available on my fork now (https://github.com/arekinath/pivy) in the 0.6.0 release

arekinath avatar May 26 '20 04:05 arekinath

@arekinath can you point me how to achieve desktop notification on yubi asking to touch?

rdslw avatar Nov 22 '20 15:11 rdslw

@rdslw Support specifically for the "touch is needed" detection popup will be in the next release, hopefully (I added the framework to support it in 4c77dc13 but it's not in the agent code yet). Currently what's supported is "SSH_ASKPASS" (whenever an attempt to use the agent which would normally fail due to lack of a cached PIN, we run a program in that env var to prompt the user for that PIN), and "SSH_CONFIRM" where we run a program (e.g. zenity) on each use of the agent by a new client to confirm it -- this latter feature also supports a "forwarded confirmation" mode where forwarded agent requests (sent from a remote host via ssh -A etc) are subject to confirmation but not local ones.

To use it you just have to set these environment variables before starting pivy-agent (that will activate the askpass feature) and use either -C or -CC to enable confirmation. The "touch is needed" popup will be similar -- a command to run in an environment variable (I don't intend to require an option for that one).

arekinath avatar Nov 23 '20 00:11 arekinath

Thanks @arekinath. One quick question: when do you plan to have new release with touch is needed capability?

rdslw avatar Jan 01 '21 13:01 rdslw