Bug#1103720: ssh-askpass-gnome prompts for confirmation, but the connection is always allowed

Sun, 20 Apr 2025 16:00:50 -0700 

Package: ssh-askpass-gnome
Version: 1:9.9p2-2
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: ereb...@erebion.eu, Debian Security Team <t...@security.debian.org> 

Dear Maintainer,


*** Reporter, please consider answering these questions, where 
appropriate ***


* What led up to the situation?

Using:

- ssh-askpass (GNOME version)
- KeePassXC
- GNOME Keyring as the SSH Agent
- setting /run/user/1000/gcr/ssh as SSH_AUTH_SOCK in the KeepassXC settings


Askpass asks to allow using the SSH key. Upon clicking "no", a 
connection is still established.


SSH outputs the following:


sign_and_send_pubkey: signing failed for ED25519 
"/home/user/.ssh/id_ed25519" from agent: agent refused operation


Then the prompt of the remote system appears.

* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?

No idea what I could do other than report the bug.

* What outcome did you expect instead?

Clicking "no" leads to the SSH connection not getting established.

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: arm64 (aarch64)
Foreign Architectures: amd64

Kernel: Linux 6.12.21-arm64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ssh-askpass-gnome depends on:
ii libc6 2.41-6
ii libglib2.0-0t64 2.84.1-1
ii libgtk-3-0t64 3.24.49-3
ii openssh-client 1:9.9p2-2

ssh-askpass-gnome recommends no packages.

ssh-askpass-gnome suggests no packages.

-- no debconf information

--
erebion

XMPP: ereb...@erebion.eu

My languages: German, English, Swedish, Norwegian, Danish
Yes, I'm a language nerd. Feel free to write to me in any of the aforementioned 
languages.




Attachment:
OpenPGP_0x8EAF40326E02AE7D.asc

Description: OpenPGP public key



Attachment:
OpenPGP_signature.asc

Description: OpenPGP digital signature






















					Reply via email to