Support for ssh authentication with security keys (like Yubikey)#262
Support for ssh authentication with security keys (like Yubikey)#262robertpenz wants to merge 6 commits into
Conversation
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
| <div className="flex items-center gap-2 mt-1"> | ||
| <input | ||
| type="checkbox" | ||
| id="ssh-prompt-toggle" |
There was a problem hiding this comment.
WARNING: Duplicate element ID ssh-prompt-toggle. The same ID is also used in SshConnectionsModal.tsx. If both modals exist in the DOM simultaneously, clicking the <label htmlFor="ssh-prompt-toggle"> will target the wrong checkbox, and it violates HTML uniqueness constraints. Consider prefixing the ID with a modal-specific identifier (e.g., new-conn-ssh-prompt-toggle).
| <div className="flex items-center gap-2"> | ||
| <input | ||
| type="checkbox" | ||
| id="ssh-prompt-toggle" |
There was a problem hiding this comment.
WARNING: Duplicate element ID ssh-prompt-toggle. The same ID is also used in NewConnectionModal.tsx. If both modals exist in the DOM simultaneously, clicking the <label htmlFor="ssh-prompt-toggle"> will target the wrong checkbox, and it violates HTML uniqueness constraints. Consider prefixing the ID with a modal-specific identifier (e.g., ssh-conn-prompt-toggle).
Code Review SummaryStatus: 1 Issue Found | Recommendation: Address before merge Overview
Issue Details (click to expand)WARNING
Other Observations (not in diff)No issues found in unchanged code. Files Reviewed (17 files)
Fix these issues in Kilo Cloud Reviewed by kimi-k2.6-20260420 · 5,324,461 tokens |
SSH_ASKPASS_REQUIRE=force alone depends on a system askpass helper (ssh-askpass, ksshaskpass, seahorse, ...) being installed. Many setups do not ship one — e.g. Arch or minimal Linux installs, macOS, Windows — so enabling the passphrase/PIN prompt there made ssh fail without any visible prompt. Tabularis now acts as its own askpass helper: - ssh re-executes the Tabularis binary as SSH_ASKPASS; a thin client mode forwards the prompt to the running app over a private local socket (unix socket chmod 600; TCP loopback + auth token on Windows) - the app shows a native modal: secret/PIN entry, yes/no confirmation, or a "touch your security key" notification that auto-dismisses once ssh confirms user presence - the tunnel readiness timeout pauses while a prompt is pending, so PIN entry cannot time the connection out - falls back to the previous SSH_ASKPASS_REQUIRE=force behaviour when the app context is unavailable Covered by unit tests for the wire protocol, a server round-trip over a unix socket, and the frontend prompt queue hook.
|
Thanks for this PR — the feature is very welcome! While testing it on Arch Linux + GNOME we hit a gap: Since most users won't have an askpass helper installed, the simplest and most portable approach seemed to be reimplementing the askpass prompt as an in-app modal, so I pushed a commit (dacbdb7) on top of your work that makes Tabularis act as its own askpass helper:
Tested here with a passphrase-protected key (prompt → passphrase → tunnel up), plus unit tests for the wire protocol, a server round-trip, and the frontend prompt queue. I don't have a security key at hand for the full FIDO2 flow — could you confirm that with this commit your Yubikey still works as expected on Fedora 43 (PIN prompt in the app modal + touch notification)? Thanks! |
|
Nice, I can test it only in about 3 weeks - hope that's ok. |
2 participants
With this patch Tabularis allows ssh to prompt for a PIN to unlock the security key. It's tested it on Fedora 43.