ssh-askpass missing with PKCS11 use

[bpfoley45]

"OpenSSH for Windows" version 8.9.1.0

Client OperatingSystem Windows 10 Enterprise

What is failing When leveraging certificate based authentication, I am unable to get a prompt when accessing the card. I believe this lies in the fact that there is no ssh-askpass as there is in linux. In pathnames.h line 124 I see reference to ssh-askpass with a linux pathing, but not matching line for win32.

The certificate authentication works, and agent forwarding is functional but I would like to get a prompt when accessing the card for security purposes. If I use OpenSSH with Pageant and wsl-ssh-pageant (https://github.com/benpye/wsl-ssh-pageant) I can configure it to prompt (yes/no) on card access.

Expected output Prompt for Smart Card use, either a yes/no prompt or PIN input.

step 1 ssh-add -c -s 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' Enter passphrase for PKCS#11: ****

step2 ssh- A host.fqdn -l someuser

step 3 some sort of dialogue box with focus prompting for card use (yes/no) or PIN prompt as ssh-askpass works on Linux

Actual output no dialogue box, forwarding of cert works. I see the private key in the slot being accessed on my yubikey by it blinking

[ddrown]

This is related to #1961, the agent does not support SSH2_AGENTC_ADD_ID_CONSTRAINED yet.

[yan4321]

@bpfoley45 , Since you're using cert-based auth, where the cert is backed by a private key that is stored in a smartcard, a workaround (until ssh-askpass support is introduced), could be to use a smartcard that has support for touch keys such as a Yubikey (reference). With touch keys, your smartcard will enforce a physical touch before allowing any challenge-response against the key. From a security standpoint, this is stronger than using a prompt on the client machine since the touch will be enforced by the smartcard's own hardware.