Package: openssh-client Version: 1:9.7p1-2+b1 Severity: normal Tags: patch Forwarded: https://github.com/openssh/openssh-portable/pull/479 X-Debbugs-Cc: Daniel Kahn Gillmor <[email protected]>
When using a wayland graphical environment without xwayland, at least
two different parts of OpenSSH decline to prompt the user graphically,
even if ssh-askpass-gnome is installed. (and ssh-askpass-gnome works
cleanly on wayland without xwayland).
The two places that i've noticed that don't prompt are:
- when a key has been added to ssh-agent with `-c` the confirmation
prompt for use doesn't show.
- when a multiplexed ssh session with `ControlMaster=ask` or
`ControlMaster=autoask` is configured and another ssh session wants to
connect over it.
In both locations, ssh-askpass isn't used because the environment
variable DISPLAY isn't set. I would guess that early adopters of
wayland who have declined to run XWayland have all just shrugged and
worked around this by manually setting SSH_ASKPASS_REQUIRE=force, or to
spuriously setting DISPLAY or something like that as a workaround.
But the tools should really be friendlier to this environment.
I think the attached patch, which i've also offered upstream, should
enable this use case.
--dkg
-- System Information:
Debian Release: trixie/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (500,
'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.6.15-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-client depends on:
ii adduser 3.137
ii libc6 2.37-15
ii libedit2 3.1-20230828-1
ii libfido2-1 1.14.0-1
ii libgssapi-krb5-2 1.20.1-5+b1
ii libselinux1 3.5-2
ii libssl3t64 3.1.5-1.1
ii passwd 1:4.13+dfsg1-4
ii zlib1g 1:1.3.dfsg-3+b1
Versions of packages openssh-client recommends:
ii xauth 1:1.1.2-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
ii monkeysphere 0.44-1
ii ssh-askpass-gnome [ssh-askpass] 1:9.6p1-4
-- no debconf information
From bb3412c842c8c3dc98c1e0643905229ed3fa7a6c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <[email protected]> Date: Thu, 28 Mar 2024 16:22:41 -0400 Subject: [PATCH] Allow ssh-askpass on Wayland by checking for $WAYLAND_DISPLAY Currently, no part of ssh (including the agent!) will even consider running ssh-askpass unless $DISPLAY is set. But some systems run a graphical environment (e.g. Wayland) where some versions of ssh-askpass (e.g. ssh-askpass-gnome) will still work just fine. So expand this baseline check to to permit invoking ssh-askpass if the sentinel wayland environment variable is present as well. --- readpass.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/readpass.c b/readpass.c index b52f3d6b1..5e5cad29c 100644 --- a/readpass.c +++ b/readpass.c @@ -127,8 +127,9 @@ read_passphrase(const char *prompt, int flags) const char *askpass_hint = NULL; const char *s; - if ((s = getenv("DISPLAY")) != NULL) - allow_askpass = *s != '\0'; + if ((((s = getenv("DISPLAY")) != NULL) && (*s != '\0')) || + (((s = getenv("WAYLAND_DISPLAY")) != NULL) && (*s != '\0'))) + allow_askpass = 1; if ((s = getenv(SSH_ASKPASS_REQUIRE_ENV)) != NULL) { if (strcasecmp(s, "force") == 0) { use_askpass = 1; @@ -262,6 +263,7 @@ notify_start(int force_askpass, const char *fmt, ...) goto out; } if (getenv("DISPLAY") == NULL && + getenv("WAYLAND_DISPLAY") == NULL && ((s = getenv(SSH_ASKPASS_REQUIRE_ENV)) == NULL || strcmp(s, "force") != 0)) { debug3_f("cannot notify: no display"); -- 2.43.0
signature.asc
Description: PGP signature
