Re: ssh-askpass keyboard grab problems

From: John A. Sullivan III (john.sullivan_at_nexusmgmt.com)
Date: 07/22/03

  • Next message: Sheldon Lee-Wen: "Commercial SSH server"
    To: Eric Johanson <ericj@shmoo.com>, secureshell@securityfocus.com
    Date: 22 Jul 2003 08:56:56 -0400
    
    

            Thanks for the tips. We do, in some instances, use keys without
    passphrases. ISCS (http://iscs.sourceforge.net) is a fairly complex
    product with multiple devices and different types of users. For those
    accessing critical systems, we are using keys. However, for those
    accessing less critical systems and who are more numerous, we did not
    want to deal with key distribution and wanted to just use user id and
    password.
            ssh-agent is working quite successfully for us. We would just like to
    get rid of the annoying "Could not grab keyboard" errors without
    compromising the security of making sure there is no malice going on.
    We were hoping it was some kind of misconfiguration of ssh on our part.
    Is there a simple way of eliminating this error through some setting or
    command line argument somewhere? Thanks - John

    On Tue, 2003-07-22 at 04:32, Eric Johanson wrote:
    > Why have you ruled out using ssh keys with no passphrase? *
    >
    > Or have you? :)
    >
    > Kindest Regards,
    > -Eric
    >
    > * Or ideally with a passphrase, but loaded up in ssh-agent. Here's how to
    > do this with usb thumb drives, but the same basic concept works with local
    > keys: http://vilos.com/usb_ssh_agent/
    >
    >
    > PS. As for that error, there is much code in ssh and gpg to prevent the
    > 'shadowing' of keyboard input. This includes tty masking, etc. You'll
    > get this all the time in web apps trying to drive ssh or gpg. In two
    > cases I had to hack the code to ssh to not do the strict checking of ttys,
    > but there may be a flag now.
    >
    > On Mon, 21 Jul 2003, John A. Sullivan III wrote:
    >
    > > We're developing a security application (http://iscs.sourceforge.net)
    > > that uses SSH for out-of-band management. Sometimes we want to use rsa
    > > keys and other times we want to use user ids and passwords. We noticed
    > > that there was not an OpenSSH API that we could use to pass the user's
    > > password and that we could not give it via stdin. We did notice that we
    > > could set SSH_ASKPASS and launch gnome-ssh-askpass or ssh-askpass (or I
    > > suppose anything else).
    > > We tried this and were quite pleased with the result in that it allows
    > > us to get on with the rest of the code and not worry about this for
    > > now. However, every time we launch the application and it requests the
    > > ssh password via either ssh-askpass or gnome-ssh-askpass or
    > > x11-ssh-askpass, we receive errors about "could not grab keyboard" and
    > > hints that there might be malice afoot.
    > > What is causing this error and how to we go about eliminating it?
    > > Thanks - John Sullivan
    > >

    -- 
    John A. Sullivan III
    Chief Technology Officer
    Nexus Management
    +1 207-985-7880
    john.sullivan@nexusmgmt.com
    ---
    If you are interested in helping to develop a GPL enterprise class
    VPN/Firewall/Security device management console, please visit
    http://iscs.sourceforge.net 
    

  • Next message: Sheldon Lee-Wen: "Commercial SSH server"

    Relevant Pages

    • Re: Opening ports in my firewall
      ... >> only with DSA keys, and not allowing manual password logins. ... - copy the .ssh directory to the new machine, if you control it, or ... Walter Dnes; my email address is *ALMOST* like wzaltdnes@waltdnes.org ...
      (comp.os.linux.security)
    • RE: sshd / ssh setup
      ... USA server and his windows/xp notebook to use SSH. ... followed sshd instruction and built ... and require users to submit keys. ...
      (freebsd-questions)
    • Re: SSH via Expect disconnects
      ... using autoexpect was the answer (please refer to thread ... >> I have received one suggestion that I explore the idea of using keys ... >> have poured through the manpage for Expect as well as SSH, ... >>> I am using an expect script to initiate an SSH session to another host ...
      (comp.lang.tcl)
    • Re: Firewall security: Re: Problems with simple Samba file share
      ... Man ssh ... ... Why is that, Peter? ... The firewall does help protect ... against someone stealing the keys and using them at another location. ...
      (comp.os.linux.misc)
    • Re: Ported tools and SSH
      ... auditors are grumbling about SSH because it stores its keys in the open. ... simple and steps can often be taken to meet security requirements. ... Consider first z/OS SSH as a server: ...
      (bit.listserv.ibm-main)