search

arekinath / pivy

Tools for using PIV tokens (like Yubikeys) as an SSH agent, for encrypting data at rest, and more
193 stars 26 forks source link

pivy-agent: use ssh-askpass to obtain the PIN #25

Open FiloSottile opened 4 years ago

FiloSottile commented 4 years ago

It's unfortunate that one needs to remember to provide the PIN with ssh-add -X at every reboot. If ssh-askpass is available, pivy-agent could use it to obtain the PIN from the user while the signing request is pending.

(I also assume there is no way for the agent to ask the client to provide a passphrase when a signature was requested, otherwise pivy-agent should definitely do that.)

arekinath commented 4 years ago

Yeah, the ssh-agent protocol doesn't give any way for the agent to ask for creds through the thing that's connected to it, unfortunately.

Supporting an askpass program is a good idea, though. I've been thinking of doing that anyway, and also perhaps supporting desktop notification when we have a YubiKey attached which is waiting for touch confirm (if we can easily tell that the slot requires touch confirm, like on 5.3.x firmware -- though we can tell on earlier devices if we ask for an attestation cert at startup too)

arekinath commented 4 years ago

This is available on my fork now (https://github.com/arekinath/pivy) in the 0.6.0 release

rdslw commented 3 years ago

@arekinath can you point me how to achieve desktop notification on yubi asking to touch?

arekinath commented 3 years ago

@rdslw Support specifically for the "touch is needed" detection popup will be in the next release, hopefully (I added the framework to support it in 4c77dc13 but it's not in the agent code yet). Currently what's supported is "SSH_ASKPASS" (whenever an attempt to use the agent which would normally fail due to lack of a cached PIN, we run a program in that env var to prompt the user for that PIN), and "SSH_CONFIRM" where we run a program (e.g. zenity) on each use of the agent by a new client to confirm it -- this latter feature also supports a "forwarded confirmation" mode where forwarded agent requests (sent from a remote host via ssh -A etc) are subject to confirmation but not local ones.

To use it you just have to set these environment variables before starting pivy-agent (that will activate the askpass feature) and use either -C or -CC to enable confirmation. The "touch is needed" popup will be similar -- a command to run in an environment variable (I don't intend to require an option for that one).

rdslw commented 3 years ago

Thanks @arekinath. One quick question: when do you plan to have new release with touch is needed capability?