ssh-ident ignores ssh-askpass (or SSH_ASKPASS and DISPLAY vars)

[eugenesvk]

I'm using ssh-add -c flag to confirm every use of my ssh keys. To get a GUI yes/no confirmation, I've installed a little script ssh-askpass that creates a simple XQuartz window. Now, on OSX all that is required is to place this script in the right place in /usr/X11R6/bin/ssh-askpass where ssh-agent is able to find it automatically. However, it's also possible to set $SSH_ASKPASS environment variable pointing to the script ($DISPLAY also has to be set). This second option is something that I'm using on Windows with MSYS2 (where instead of ssh-askpass, where I'm using the default git script (git-gui--askpass) to spawn a GUI window.

It works wonderfully in both environments, however it all breaks when I use ssh-ident instead of ssh. As far as I understand it, at the moment ssh-agent is spawned, it must have access to either the default path or to the path set by $SSH_ASKPASS (and also $DISPLAY). If it does, all subsequent calls will respect the -c flag, spawn a new confirmation window, wait for it and pass the ssh key (or not) depending on the button you click in that window. Now, since your script spawns agents in subprocess calls, they don't have access to these default paths or environment variables and ssh-agent doesn't know it can spawn a GUI window, so it just ignores the -c flag and never passes an ssh key. Would you please adjust your subprocess routines so that ssh-agent would have access to those two variables (and either allow user to set them separately or read them from the default environment beforehand, and if unset try to read /usr/X11R6/bin/ssh-askpass which seems to be the default path on OSX)?

OSX 10.11.3 or Win10 with MSYS2

[ccontavalli]

Thanks for the report! I'm surprised I did not / nobody noticed this before - and sorry for latency.

I do not use SSH_ASKPASS or similar - so did not test it. But agent forwarding and a simple script run via BINARY_SSH shows the environment being propagated correctly now, locale and X forwarding included.

If you could confirm this now works correctly, that'd be great. In the mean time, the bug has been closed.

[eugenesvk]

Unfortunately, it doesn't work. When I have "personal": "-c", option in my config files, ssh-ident silently ignores it (my guess is for the same reason — the vars aren't read) and just asks me to enter the password to the website directly even though the key is loaded properly All keys already loaded

When I launch an agent manually and manually add the same key with the -c option (with export DISPLAY=localhost:0.0 and export SSH_ASKPASS=/usr/lib/git-core/git-gui--askpass defined in my bash profile) it all works — the agent opens up the gui to ask for a confirmation.

[kgraefe]

Why does ssh-ident clear the environment in the first place?