458711 – ksshaskpass should not show a password for "confirm user presence"

Bug 458711 - ksshaskpass should not show a password for "confirm user presence"

Summary: ksshaskpass should not show a password for "confirm user presence"

Status:	RESOLVED FIXED

Alias:	None

Product:	ksshaskpass
Classification:	Applications
Component:	general (show other bugs)
Version:	unspecified
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Jeremy Whiting

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-09-04 19:58 UTC by Perry Lorier
Modified:	2024-06-28 11:47 UTC (History)
CC List:	0 users

See Also:
Latest Commit:	https://invent.kde.org/plasma/ksshaskpass/-/commit/882b13214d9d6409210ea18a1163b5d104c8dc26
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Perry Lorier 2022-09-04 19:58:55 UTC

SUMMARY

when using a ed25519_sk key, when it prompts for user presence (ie, please touch the yubi security key) ksshaskpass shows a dialog with:

Confirm user presence for key ED25519-SK SHA256:<keysnipped>
Password: [                                       ]
[ ] Remember Password
[ Ok ] [ Cancel ] 

This tends to "trick" me into entering my password again unnecessarily.

Instead it should be a "TypeConfirm" message.

STEPS TO REPRODUCE
1. create a ed25519_sk key.
2. load the key into your agent.
3. attempt to use the key
4. Note the dialog box prompts unnecessarily for a password.

OBSERVED RESULT

Dialog box prompts unnecessarily for a password.

EXPECTED RESULT

Dialog box instead should just provide a "Cancel" button, or perhaps one of the other dialog types.  It should not prompt for a password.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: 5.25.4

Comment 1 Perry Lorier 2022-09-04 20:02:41 UTC

Oh, this is the link to code that produces the message:
https://cs.github.com/notpeter/openssh-portable/blob/7eb903f51eba051d7f65790bab92a28970ac1ccc/sshconnect2.c?q=%22confirm+user+presence%22#L1201

Comment 2 Bug Janitor Service 2024-06-19 21:54:12 UTC

A possibly relevant merge request was started @ https://invent.kde.org/plasma/ksshaskpass/-/merge_requests/22

Comment 3 Ilya Bizyaev 2024-06-28 11:47:25 UTC

Git commit 882b13214d9d6409210ea18a1163b5d104c8dc26 by Ilya Bizyaev.
Committed on 28/06/2024 at 11:47.
Pushed by ilyabizyaev into branch 'master'.

Add support for SSH_ASKPASS_PROMPT

Since 2019, OpenSSH sets the `SSH_ASKPASS_PROMPT` environment variable
to inform askpass programs what UI they should display:

* https://github.com/openssh/openssh-portable/commit/b497e920b409250309c4abe64229237b8f2730ba
* https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-November/038032.html

There are 3 reported types:
* "confirm": `[Yes]  No`
* "none" (e.g. for proof of presence): `[Close]`
* "" (referred to as "entry"): `|Text field|  [OK]  Cancel`

These are a subset of UI display modes already supported by KSSHAskPass,
so this commit only changes the detection logic. I attempted to make this change
minimally invasive and self-contained.

Reading the environment variable is more reliable than parsing strings.
In particular, certain SSH agents used in corporate environments use
different prompt formats, which was not compatible with KSSHAskPass.

The pre-existing display type enum is kept separate for now because it
also supports cleartext. Some string parsing also remains in place for
KWallet password storage. I can attempt to refactor model logic in a
follow-up MR.

M  +58   -94   src/main.cpp

https://invent.kde.org/plasma/ksshaskpass/-/commit/882b13214d9d6409210ea18a1163b5d104c8dc26