Re: ssh-askpass keyboard grab problems
From: John A. Sullivan III (john.sullivan_at_nexusmgmt.com)
To: Eric Johanson <firstname.lastname@example.org>, email@example.com Date: 22 Jul 2003 08:56:56 -0400
Thanks for the tips. We do, in some instances, use keys without
passphrases. ISCS (http://iscs.sourceforge.net) is a fairly complex
product with multiple devices and different types of users. For those
accessing critical systems, we are using keys. However, for those
accessing less critical systems and who are more numerous, we did not
want to deal with key distribution and wanted to just use user id and
ssh-agent is working quite successfully for us. We would just like to
get rid of the annoying "Could not grab keyboard" errors without
compromising the security of making sure there is no malice going on.
We were hoping it was some kind of misconfiguration of ssh on our part.
Is there a simple way of eliminating this error through some setting or
command line argument somewhere? Thanks - John
On Tue, 2003-07-22 at 04:32, Eric Johanson wrote:
> Why have you ruled out using ssh keys with no passphrase? *
> Or have you? :)
> Kindest Regards,
> * Or ideally with a passphrase, but loaded up in ssh-agent. Here's how to
> do this with usb thumb drives, but the same basic concept works with local
> keys: http://vilos.com/usb_ssh_agent/
> PS. As for that error, there is much code in ssh and gpg to prevent the
> 'shadowing' of keyboard input. This includes tty masking, etc. You'll
> get this all the time in web apps trying to drive ssh or gpg. In two
> cases I had to hack the code to ssh to not do the strict checking of ttys,
> but there may be a flag now.
> On Mon, 21 Jul 2003, John A. Sullivan III wrote:
> > We're developing a security application (http://iscs.sourceforge.net)
> > that uses SSH for out-of-band management. Sometimes we want to use rsa
> > keys and other times we want to use user ids and passwords. We noticed
> > that there was not an OpenSSH API that we could use to pass the user's
> > password and that we could not give it via stdin. We did notice that we
> > could set SSH_ASKPASS and launch gnome-ssh-askpass or ssh-askpass (or I
> > suppose anything else).
> > We tried this and were quite pleased with the result in that it allows
> > us to get on with the rest of the code and not worry about this for
> > now. However, every time we launch the application and it requests the
> > ssh password via either ssh-askpass or gnome-ssh-askpass or
> > x11-ssh-askpass, we receive errors about "could not grab keyboard" and
> > hints that there might be malice afoot.
> > What is causing this error and how to we go about eliminating it?
> > Thanks - John Sullivan
-- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 firstname.lastname@example.org --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net