[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1068044: marked as done (openssh-client: graphical prompting does not work on wayland systems without xwayland)

Your message dated Wed, 31 Jul 2024 16:35:53 +0000
with message-id <E1sZCIr-00CLZo-Lu@fasolo.debian.org>
and subject line Bug#1068044: fixed in openssh 1:9.8p1-1
has caused the Debian Bug report #1068044,
regarding openssh-client: graphical prompting does not work on wayland systems without xwayland
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1068044: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068044
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: openssh-client
Version: 1:9.7p1-2+b1
Severity: normal
Tags: patch
Forwarded: https://github.com/openssh/openssh-portable/pull/479
X-Debbugs-Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

When using a wayland graphical environment without xwayland, at least
two different parts of OpenSSH decline to prompt the user graphically,
even if ssh-askpass-gnome is installed.  (and ssh-askpass-gnome works
cleanly on wayland without xwayland).

The two places that i've noticed that don't prompt are:

- when a key has been added to ssh-agent with `-c` the confirmation
  prompt for use doesn't show.

- when a multiplexed ssh session with `ControlMaster=ask` or
  `ControlMaster=autoask` is configured and another ssh session wants to
  connect over it.


In both locations, ssh-askpass isn't used because the environment
variable DISPLAY isn't set.  I would guess that early adopters of
wayland who have declined to run XWayland have all just shrugged and
worked around this by manually setting SSH_ASKPASS_REQUIRE=force, or to
spuriously setting DISPLAY or something like that as a workaround.

But the tools should really be friendlier to this environment.

I think the attached patch, which i've also offered upstream, should
enable this use case.

       --dkg


-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.15-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-client depends on:
ii  adduser           3.137
ii  libc6             2.37-15
ii  libedit2          3.1-20230828-1
ii  libfido2-1        1.14.0-1
ii  libgssapi-krb5-2  1.20.1-5+b1
ii  libselinux1       3.5-2
ii  libssl3t64        3.1.5-1.1
ii  passwd            1:4.13+dfsg1-4
ii  zlib1g            1:1.3.dfsg-3+b1

Versions of packages openssh-client recommends:
ii  xauth  1:1.1.2-1

Versions of packages openssh-client suggests:
pn  keychain                         <none>
pn  libpam-ssh                       <none>
ii  monkeysphere                     0.44-1
ii  ssh-askpass-gnome [ssh-askpass]  1:9.6p1-4

-- no debconf information


From bb3412c842c8c3dc98c1e0643905229ed3fa7a6c Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 28 Mar 2024 16:22:41 -0400
Subject: [PATCH] Allow ssh-askpass on Wayland by checking for $WAYLAND_DISPLAY

Currently, no part of ssh (including the agent!) will even consider
running ssh-askpass unless $DISPLAY is set.  But some systems run a
graphical environment (e.g. Wayland) where some versions of
ssh-askpass (e.g. ssh-askpass-gnome) will still work just fine.

So expand this baseline check to to permit invoking ssh-askpass if the
sentinel wayland environment variable is present as well.
---
 readpass.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/readpass.c b/readpass.c
index b52f3d6b1..5e5cad29c 100644
--- a/readpass.c
+++ b/readpass.c
@@ -127,8 +127,9 @@ read_passphrase(const char *prompt, int flags)
 	const char *askpass_hint = NULL;
 	const char *s;
 
-	if ((s = getenv("DISPLAY")) != NULL)
-		allow_askpass = *s != '\0';
+	if ((((s = getenv("DISPLAY")) != NULL) && (*s != '\0')) ||
+            (((s = getenv("WAYLAND_DISPLAY")) != NULL) && (*s != '\0')))
+		allow_askpass = 1;
 	if ((s = getenv(SSH_ASKPASS_REQUIRE_ENV)) != NULL) {
 		if (strcasecmp(s, "force") == 0) {
 			use_askpass = 1;
@@ -262,6 +263,7 @@ notify_start(int force_askpass, const char *fmt, ...)
 		goto out;
 	}
 	if (getenv("DISPLAY") == NULL &&
+            getenv("WAYLAND_DISPLAY") == NULL &&
 	    ((s = getenv(SSH_ASKPASS_REQUIRE_ENV)) == NULL ||
 	    strcmp(s, "force") != 0)) {
 		debug3_f("cannot notify: no display");
-- 
2.43.0

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: openssh
Source-Version: 1:9.8p1-1
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1068044@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 31 Jul 2024 17:16:04 +0100
Source: openssh
Architecture: source
Version: 1:9.8p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1037515 1068044 1073065
Changes:
 openssh (1:9.8p1-1) unstable; urgency=medium
 .
   * New upstream release (https://www.openssh.com/releasenotes.html#9.8p1):
     - CVE-2024-39894: Fix Logic error in ssh(1) ObscureKeystrokeTiming that
       made the feature ineffective.
     - The DSA signature algorithm is now disabled at compile-time.
     - sshd(8): the server has been split into a listener binary, sshd(8),
       and a per-session binary "sshd-session".  This allows for a much
       smaller listener binary, as it no longer needs to support the SSH
       protocol.  As part of this work, support for disabling privilege
       separation (which previously required code changes to disable) and
       disabling re-execution of sshd(8) has been removed.  Further
       separation of sshd-session into additional, minimal binaries is
       planned for the future.
     - sshd(8): several log messages have changed.  In particular, some log
       messages will be tagged with as originating from a process named
       "sshd-session" rather than "sshd".
     - ssh-keyscan(1): this tool previously emitted comment lines containing
       the hostname and SSH protocol banner to standard error.  This release
       now emits them to standard output, but adds a new "-q" flag to silence
       them altogether.
     - sshd(8): sshd will no longer use argv[0] as the PAM service name.  A
       new "PAMServiceName" sshd_config(5) directive allows selecting the
       service name at runtime.  This defaults to "sshd".
     - sshd(8): penalise client addresses that, for various reasons, do not
       successfully complete authentication.  This feature is controlled by a
       new sshd_config(5) PerSourcePenalties option and is on by default.
     - ssh(8): allow the HostkeyAlgorithms directive to disable the implicit
       fallback from certificate host key to plain host keys.
     - misc: fix a number of inaccuracies in the PROTOCOL.* documentation
       files.
     - all: switch to strtonum(3) for more robust integer parsing in most
       places.
     - ssh(1), sshd(8): correctly restore sigprocmask around ppoll().
     - ssh-keysign(8): stricter validation of messaging socket fd.
     - sftp(1): flush stdout after writing "sftp>" prompt when not using
       editline.
     - sftp-server(8): fix home-directory extension implementation, it
       previously always returned the current user's home directory contrary
       to the spec.
     - ssh-keyscan(1): do not close stdin to prevent error messages when
       stdin is read multiple times.
     - regression tests: fix rekey test that was testing the same KEX
       algorithm repeatedly instead of testing all of them.
     - ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive
       documentation, especially around what is supported vs available
       (closes: #1073065).
     - sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
       unconditionally. The previous behaviour was to expose it only when
       particular authentication methods were in use.
     - build: fix OpenSSL ED25519 support detection. An incorrect function
       signature in configure.ac previously prevented enabling the recently
       added support for ED25519 private keys in PEM PKCS8 format.
     - ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
       environment variable to enable SSH_ASKPASS, similarly to the X11
       DISPLAY environment variable (closes: #1037515, #1068044).
   * Stop generating DSA host key.
   * Apply X-Style: black.
Checksums-Sha1:
 9e7b47f6224e5d36ac447b5161b93ebdb2122e68 3313 openssh_9.8p1-1.dsc
 a0bb501b11349f5c5c33a269351be091dc2c2727 1910393 openssh_9.8p1.orig.tar.gz
 2c8addecb3c6af8b3eb36742d2f6c66b8281c5c9 833 openssh_9.8p1.orig.tar.gz.asc
 33d1b8fdf605a872289623e021e1eaf936471a82 192700 openssh_9.8p1-1.debian.tar.xz
Checksums-Sha256:
 a2bd13155bede2b39431455fa618375c8c157792540d6ffa7784904cbb28dc59 3313 openssh_9.8p1-1.dsc
 dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3 1910393 openssh_9.8p1.orig.tar.gz
 dbb65803565909f2c541db9b45385249cacbf021a0cd4189836bff5c3832d4b9 833 openssh_9.8p1.orig.tar.gz.asc
 bb4eb99907e717d58feff8160eb13ab1781c6e65ec79e341a077683c4751a135 192700 openssh_9.8p1-1.debian.tar.xz
Files:
 a29955456fdef53ed4ce186131e3a34b 3313 net standard openssh_9.8p1-1.dsc
 bc04ff77796758c0b37bd0bc9314cd3f 1910393 net standard openssh_9.8p1.orig.tar.gz
 5f6e7e04252b58565d60faf55c126208 833 net standard openssh_9.8p1.orig.tar.gz.asc
 e35f283e82ddb5fcd90041404c3b1701 192700 net standard openssh_9.8p1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmaqY4YACgkQOTWH2X2G
UAubpw/+Kn0wH+06mI75aMwxtD2/P0j2Ai94WTKkq4HF1k02aykaxiPrXsLkcEUL
1+K5nXcaoEk7ekqZkpgPUQfaFSErzvgSAFjXmiIJlzmk0jY+lH/e00uRMiIvroK6
1ASyVHV2jDA0WZ0EsdjriWxawSj+5J6+GKUpQNZSgmEXLScAQLgTnXKZg++jju8l
Lg2adC9EGMs1E5aySydcZuIsqqB9TVlFTujYNjfXfvJkM9CBxtRaD50rsYK1Hqvd
k6rRJO+g14auM8HOuXfSQxcdQol46YTjJJWgPapn9CmvOp3btz8pCFboNh433VRh
zKExwiYJrnh0AYJRuWRHzJ55xpcsmtKME8SqNkA2k5pDIEVnU1R2sqkArrfXqYRh
3vhYsnKC7QxRGORKLlEzTjLS4mrDAWEKXWnCLanulYG2skEPkBENwhphrx5HRFOn
HJ+HHzOCdvOF13p+c7d8Ymzq2WXsPunEYf8JGMChFuD/dl4GDOL6NdwkHT10M9lT
mngY/u9Nrom4ANR9FjEcE5mjLFQnhO9IclVAfhrl39uyHHMgVhRgSs8qUBN9LQ+U
e0r+/KPAS/fqDpbxPun6E7mPcDePFkSruyx8fJZWtmOqGOLJ8DouD2Bn48zngQP5
ryvb5q1oECl/4/snEBs3K7X9IBr5ZxbT4IZaK6tn+c5FJNUD2m8=
=/4Ui
-----END PGP SIGNATURE-----

Attachment: pgpCs1u5CsAdR.pgp
Description: PGP signature


--- End Message ---
Reply to: