SSH agent approval prompt: surface which app, which host, which signature #21894
passabilities
started this conversation in
Password Manager
Replies: 1 comment
-
|
✨ Thank you for your code contribution proposal! While the Bitwarden team reviews your submission, we encourage you to check out our contribution guidelines. Please ensure that your code contribution includes a detailed description of what you would like to contribute, along with any relevant screenshots and links to existing feature requests. This information helps us gather feedback from the community and Bitwarden team members before you start writing code. To keep discussions focused, posts that do not include a proposal for a code contribution will be removed.
Thank you for contributing to Bitwarden! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
✅ Code Contribution Proposal
Code Contribution Proposal
I would like to propose a richer SSH agent approval prompt for the desktop app that surfaces the requesting application, the target host, and the SSH server's host key so users can make an informed approve/deny decision.
Today the prompt only says "ssh is requesting access to {key} to authenticate to a server" — the user can't tell whether the request came from their
git push, VSCode Remote-SSH, an Ansible run, or a malicious local process. This gap was flagged in #13535 and closed with a request to open a code proposal, which is what this is.I built a working prototype (all client tests green, cross-platform Rust + TS): PR #20875 — closed by @dwbit pending this discussion, and correctly noted it targeted the older V1 agent code. Would re-implement on V2 with team input.
What I am proposing (v1)
Enrich the existing approval dialog with locally-derivable context — no DNS, no reverse lookups, no network calls:
sysinfo(leaf process + non-shell ancestor). e.g. surfacesVisual Studio Code → sshinstead of justssh.ssh user@host) and cross-referenced with~/.ssh/known_hostsfor a Verified badge when the key is recognized.SHA256:…from the OpenSSHsession-bind@openssh.comextension.known_hosts), Unverified (from argv only — a process can lie), or fingerprint-only.Verified GitHub host — process chain reveals GitKraken as the real requester:
What I am NOT proposing for v1
bitwarden_russh.Open questions I'd like feedback on before writing V2 code
--token=…). Show it always, only under a deeper disclosure, scrub known-sensitive flags, or omit entirely?Happy to walk through the V1 implementation on the closed PR or drop the current approach entirely if the team has a different direction in mind.
Beta Was this translation helpful? Give feedback.
All reactions