[pass] Any advice for using pass with ssh passphrases?

Christophe-Marie Duquesne chmd at chmd.fr
Sun Feb 21 16:22:17 CET 2016


I believe you misunderstood which passphrase I am talking about.

You are pointing me to a resource explaining how to install an ssh
public key on a remote server. This is a good security practice, which
I use. However I am talking about the passphrase of the private key
(usually ~/.ssh/id_rsa), which explained a little bit earlier in the
very webpage you pointed me to [1]. I assume you do not use a
passphrase for your private key, but that is a bit dangerous: if
someone manages to steal that key, they can basically login anywhere.
I strongly advise you to use a passphrase and an ssh-agent, so that
your private key does not lie around unencrypted on your hard drive.

On my side I went ahead with my idea to use SSH_ASKPASS to unlock the
passphrase of my ssh key using pass. It kind of works, but it feels a
bit "hackish". Here is what I did:

The ssh-add manual states what follows:

> If ssh-add needs a passphrase, it will read the passphrase from the
> current terminal if it was run from a terminal. If ssh-add does not
> have a terminal asso‐ ciated with it but DISPLAY and SSH_ASKPASS
> are set, it will execute the program specified by SSH_ASKPASS (by
> default ``ssh-askpass )'' and open an X11 window to read the
> passphrase. This is particularly useful when calling ssh-add from a
> .xsession or related script. (Note that on some machines it may be
> necessary to redirect the input from /dev/null to make this work.)

It turns out that SSH_ASKPASS must be a path to an executable file
which is expected to provide the passphrase on its standard output. I
used it to my advantage and wrote the following shell script in
$HOME/.bin/ssh-askpass, which has exactly the same interface but
invokes pass instead:

pass ssh/$USER@$HOST | head -n1

Then I played with ssh-add and the vanilla ssh-agent, and I found out
that the following line works perfectly, assuming you deactivate the
ssh-agent feature of gpg-agent:

eval $(SSH_ASKPASS=$HOME/.bin/ssh-askpass \
    keychain --quiet --eval id_rsa </dev/null)

I put this line in my .bashrc/.zshrc, and keychain will get the
passphrase of ~/.ssh/id_rsa from the output of the command 'pass
ssh/$USER@$HOST | head -n1'. This way, I don't need to copy-paste the
passphrase around, which is nice.

By the way, the neat thing is that the same trick applies with sudo:

export SUDO_ASKPASS=$HOME/.bin/sudo-askpass
alias sudo='sudo --askpass'

With the following content in $HOME/.bin/sudo-askpass:

pass hosts/$USER@$HOST | head -n1

And now sudo gets its passphrase from the output of 'pass
hosts/$USER@$HOST | head -n1'.

So here we go, no more password to copy around for ssh and sudo.

If anyone has comments regarding the safety of such a setup, let me know!


[1]: https://wiki.archlinux.org/index.php/SSH_keys#Choosing_the_key_location_and_passphrase

More information about the Password-Store mailing list