gcr-ssh-agent does not support custom SSH_ASKPASS / SSH_ASKPASS_REQUIRE / BatchMode
I have a script that should connect to a server, but only if the required SSH key is already present in the agent, otherwise it should exit. The script does this by setting SSH_ASKPASS=/bin/false
and quietly exiting if the first SSH connection attempt fails (because ssh would use /bin/false
as the password source iff the key was not present in the agent yet). However, ever since gcr-4 took over ssh-agent (!139), this doesn’t work anymore, and instead always asks for a password.
I believe this is because gcr-ssh-agent always reports all available keys as loaded:
$ ssh-add -l | wc -l
25
$ ls -1 .ssh/*.pub | wc -l
25
$ # (I only actually added three SSH keys to the agent in this session)
Presumably, OpenSSH asks gcr-ssh-agent whether the required key is present, gcr-ssh-agent (falsely, I think) reports that it is, OpenSSH continues with the connection and asks gcr-ssh-agent to use the key, at which point gcr-ssh-agent asks me for my password despite the fact that I very explicitly told ssh I didn’t want to enter any password.
If I read the ssh(1) manpage correctly, SSH_ASKPASS_REQUIRE=never
is supposed to have roughly the same effect as SSH_ASKPASS=/bin/false
, and it’s broken in the same way.