[pass] Any advice for using pass with ssh passphrases?

Lucas Hoffmann l-m-h at web.de
Sun Feb 21 22:00:39 CET 2016


Quoting Christophe-Marie Duquesne (2016-02-21 16:22:17)
> On my side I went ahead with my idea to use SSH_ASKPASS to unlock the
> passphrase of my ssh key using pass. It kind of works, but it feels a
> bit "hackish". Here is what I did:
>
> The ssh-add manual states what follows:
>
> > DISPLAY and SSH_ASKPASS
> >
> > If ssh-add needs a passphrase, it will read the passphrase from the
> > current terminal if it was run from a terminal. If ssh-add does not
> > have a terminal asso‐ ciated with it but DISPLAY and SSH_ASKPASS
> > are set, it will execute the program specified by SSH_ASKPASS (by
> > default ``ssh-askpass )'' and open an X11 window to read the
> > passphrase. This is particularly useful when calling ssh-add from a
> > .xsession or related script. (Note that on some machines it may be
> > necessary to redirect the input from /dev/null to make this work.)
>
> It turns out that SSH_ASKPASS must be a path to an executable file
> which is expected to provide the passphrase on its standard output. I
> used it to my advantage and wrote the following shell script in
> $HOME/.bin/ssh-askpass, which has exactly the same interface but
> invokes pass instead:
>
> #!/bin/bash
> pass ssh/$USER@$HOST | head -n1
>
> Then I played with ssh-add and the vanilla ssh-agent, and I found out
> that the following line works perfectly, assuming you deactivate the
> ssh-agent feature of gpg-agent:
>
> eval $(SSH_ASKPASS=$HOME/.bin/ssh-askpass \
>     keychain --quiet --eval id_rsa </dev/null)
>
> I put this line in my .bashrc/.zshrc, and keychain will get the
> passphrase of ~/.ssh/id_rsa from the output of the command 'pass
> ssh/$USER@$HOST | head -n1'. This way, I don't need to copy-paste the
> passphrase around, which is nice.

I use the same mechanism to unlock my ssh keys.  Albeit I use `ssh-add`
directly instead of `keychain`.  I have (nearly) the same
pass-as-ssh-askpass.sh script.  Then I set up the environment in my
xinitrc file with these lines:

load_ssh_keys () {
  SSH_ASKPASS=`which pass-as-ssh-askpass.sh` \
    ssh-add $HOME/.ssh/*id_rsa < /dev/null
}
(sleep 60 && load_ssh_keys &) &

Sorry for writing do late, now you had to find our this stuff on your
own.

Lucas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: signature
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160221/9579e132/attachment.asc>


More information about the Password-Store mailing list