SSH_ASKPASS handler breaks 2FA login

[muendelezaji]

Does this issue occur when all extensions are disabled? Yes

• VS Code Version: 1.72.0-insider
• OS Version: macOS 12.5.1

Version: 1.72.0-insider
Commit: 5cecbf4
Date: 2022-09-09T16:24:20.520Z
Electron: 19.0.12
Chromium: 102.0.5005.167
Node.js: 16.14.2
V8: 10.2.154.15-electron.0
OS: Darwin x64 21.6.0
Sandboxed: Yes

Steps to Reproduce:

1. In the integrated terminal, try to SSH into a server that prompts for a 2FA code (e.g. via Yubikey). Any commands that uses SSH internally (e.g. rsync) also seem to exhibit similar behaviour.

Expected:
A prompt should appear in the terminal for the 2FA code to be entered. This was the previous behaviour.

Actual:
VSCode takes over and shows a popup asking "Are you sure you want to continue connecting?". The terminal prompt isn't shown, making it impossible to log into the server.

Additional details:
The changes potentially responsible appear to be from #159573 (Git - implement SSH_ASKPASS handler).

The popup only seems to handle SSH fingerprint prompts, and thus makes some assumptions about the nature of the text. This leads to extracting incorrect values for host and fingerprint. Below are screenshots from 3 scenarios:

1. SSH fingerprint prompt (what the handler assumes)

2. First time popup when 2fa prompt is captured (personal info redacted)

3. Subsequent popups when 2fa prompt is captured

Note that for (2) and (3) the host and fingerprint could be anything, depending on the actual prompt text.

[lszomoru]

@muendelezaji, could you please try the following workaround to unblock you:

• Close all integrated terminal windows
• Set the git.terminalAuthentication setting to false
• Reload VS Code and try again

[muendelezaji]

@lszomoru That has worked, back to the old behaviour for now. Thanks.

[lszomoru]

@muendelezaji, thank you very much for confirming the workaround.
I will look at committing a fix to better handle SSH keys with 2FA.

[muendelezaji]

@lszomoru Great, thank you for that. Worth mentioning that when changing the settings, I noticed another config - git.useIntegratedAskPass that when set to false also has the same effect. It is also used in askpass.ts getEnv/getTerminalEnv.

[lszomoru]

This should be fixed in the latest Insiders (2022-09-16).
We do not override the SSH_ASKPASS environment variable for the integrated terminal.

[connor4312]

@muendelezaji can you verify whether this is working for you on VS Code Insiders?

[muendelezaji]

@connor4312 I can confirm it does work on Insiders, even with the default setting (git.useIntegratedAskPass: true). I get the 2FA prompt in the terminal as in the original behaviour. Thanks for the great work done on VSCode.