Bug#1037515: openssh-client: ssh-agent does not start ssh-askpass for notifications under wayland

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1037515: openssh-client: ssh-agent does not start ssh-askpass for notifications under wayland
From: Adrian Friedli <adi@koalatux.ch>
Date: Tue, 13 Jun 2023 19:19:14 +0200
Message-id: <[🔎] 168667675460.55776.8419321564312340649.reportbug@perseus.office.koubachi.com>
Reply-to: Adrian Friedli <adi@koalatux.ch>, 1037515@bugs.debian.org

Package: openssh-client
Version: 1:9.2p1-2
Severity: normal
X-Debbugs-Cc: adi@koalatux.ch

Dear Maintainer,

I am using a hardware token supporting FIDO2 for SSH. The hardware token
requires presence for every SSH connection. The ssh-agent starts
ssh-askpass to notify the user that presence is required. This works
well with X11, but with wayland no notification appears, but touching
the hardware token still works and the SSH connection can still be
established successfully.

Looking into the code[1] reveals that ssh-agent is checking for the
DISPLAY environment variable, otherwise it won't even start ssh-askpass.

As a work-around I now start ssh-agent with the env variable
SSH_ASKPASS_REQUIRE set to "force", I achieved this by creating the file
/etc/systemd/user/ssh-agent.service.d/override.conf with these two lines
as content:

[Service]
Environment="SSH_ASKPASS_REQUIRE=force"

At least with ksshaskpass as the selected alternative for ssh-askpass
this works.

Kind regards,
Adi


[1]: https://sources.debian.org/src/openssh/1%3A9.2p1-2/readpass.c/#L264-L269


-- System Information:
Debian Release: 12.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-9-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.134
ii  libc6             2.36-9
ii  libedit2          3.1-20221030-2
ii  libfido2-1        1.12.0-2+b1
ii  libgssapi-krb5-2  1.20.1-2
ii  libselinux1       3.4-1+b6
ii  libssl3           3.0.9-1
ii  passwd            1:4.13+dfsg1-1+b1
ii  zlib1g            1:1.2.13.dfsg-1

Versions of packages openssh-client recommends:
ii  xauth  1:1.1.2-1

Versions of packages openssh-client suggests:
pn  keychain                   <none>
ii  ksshaskpass [ssh-askpass]  4:5.27.5-2
pn  libpam-ssh                 <none>
pn  monkeysphere               <none>

-- Configuration Files:
/etc/ssh/ssh_config changed [not included]

-- no debconf information

Reply to:

Prev by Date: [bts-link] source package src:openssh
Next by Date: Bug#1002691: openssh-client: ssh-agent doesn't get autostarted under wayland
Previous by thread: [bts-link] source package src:openssh
Next by thread: Bug#1002691: openssh-client: ssh-agent doesn't get autostarted under wayland
Index(es):
- Date
- Thread