Hello, With the introduction of SSH_ASKPASS_REQUIRE in version 8.4, I've set up a script for SSH_ASKPASS to query my local passwordstore (https://www.passwordstore.org/) vault to retrieve the password for a given key. This works for ssh-add as well as ssh (configured with AddKeysToAgent set to 'yes'). My workflow effectively transforms into entering the password for the GPG key used to encrypt my vault for any given key. It works especially well now that I don't have to alter DISPLAY and confuse gpg's pin input inference. Thanks for that enhancement! The tricky part here is the way I have to figure out which key is being unlocked. I was initially only working with ssh-add, so it seemed trivial to just deal with the input to a script acting as a wrapper and feed that to the askpass script as an environment variable. When I realized I could also take advantage of AddKeysToAgent and simply call ssh, I had to change my strategy given that the path to the key being unlocked does not appear to get passed separately to my script; rather it's just given a prompt that happens to contain the path to the key. Using this knowledge I just have my script infer the path using sed. This strategy works, but I noticed that when you call ssh (with AddKeysToAgent set to 'yes') vs ssh-add, the prompts are slightly different: $ ssh user@host Enter passphrase for key '/home/user/.ssh/id_ed25519_somekey': $ ssh-add /home/user/.ssh/id_ed25519_somekey Enter passphrase for /home/user/.ssh/id_ed25519_somekey: Notice the single quotes around the path in the prompt when calling ssh. I'm not sure if that's a bug with regard to consistency. I was able to modify the regex to account for this difference, but overall I wondered if this couldn't be improved. For my usage, it would be great to receive the path to the key as another askpass argument. Alternatively I could also envision accessing this information as an environment variable. I understand that my use-case may diverge too greatly from the original intentions for this component, but I thought I'd ask anyway in case I'm either doing something wrong or missing out on another feature. What I have currently works, but I fear it leaves me prone to breaking changes later on. I've included my askpass script below. Also just to note, I'm running on Arch, but I've confirmed these behaviors in the GitHub repo. Thanks, John pass-askpass.sh --- #!/usr/bin/env bash # This translates "Enter passphrase for /home/user/.ssh/id_ed25519_somekey:" to "id_ed25519_somekey" # It also accounts for the case where the path is surrounded by single quotes in the prompt key_filename="$(echo "$1" | sed -e "s/^.*\/\(.*\)'*:.*$/\1/")" # Assume we store all our keys in one folder in pass, and they are all uniquely identifiable # This will result in a prompt for my GPG key password to retrieve the SSH key password pass "${PASS_SSH_FOLDER:-SSH}/${key_filename}" | head -n1 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
