Sudo password collection via gui

I’m developing an application that needs to run some commands that require sudo perms. I’m currently using /usr/libexec/openssh/ssh-askpass which works fine in fedora 37, but appears to be bugged in ubuntu. Looking at arch, it seems they are using seahorse to provide ssh-askpass capability. I have not tested that yet. I also see GCR (GNOME Crypto REEEEEE?) mentioned, but i’m not sure if it is intended to be usable for sudo password collection, nor of it’s current dev state.

My question is… what is the best integrated, preferably universal to all/major/most distros, currently working, and future-proof method to use going forward? Is fedora going to keep using the gnome askpass from openssh? seahorse? GCR ?


Why are you integrating with it directly like that? If you use polkit, it will automatically select an appropriate agent to use based on what is available on that user’s system.

1 Like

thanks for your answer. i think i just completely forgot about polkit. :slight_smile: Assuming i use pkexec then; what auth agent(s) is best integrated and supported across distros like fedora, ubuntu, arch, alpine, and opensuse? Assuming Gnome, and then just gtk available, now and going forward.

As an application developer, you shouldn’t need to care.

Polkit will always provide an agent and select the most relevant option.

yes, i agree that i shouldn’t, but i wanted to know what the options are in case i want to test them, make recommendations, or document things. I guess i’ll just try it out with different distros and DEs and see what happens. I can always ask again if it doesn’t work out. thanks for the info.

The gnome and kde agents are going to be the most commonly used ones.

thanks. Do you know if pkexec will remember the auth using the sudoers timeout, or similar, or ask for every invocation?

It will ask for every invocation.

You can work around this by doing something like authorizing a backend process that handles multiple operations once the privs have been authorized.

ok, thanks again. i’ll figure that out.

just wanted to say thanks again to @dalto for nudging me towards a polkit solution. I was indeed doing things in a suboptimal way. Using pkexec to call a separate process (that runs the multiple commands) works with one password entry, no inhibitShortcutsDialog from GNOME, and uses a more appropriate agent/password collection dialog.