Quoting Christophe-Marie Duquesne (2016-02-21 16:22:17) > On my side I went ahead with my idea to use SSH_ASKPASS to unlock the > passphrase of my ssh key using pass. It kind of works, but it feels a > bit "hackish". Here is what I did: > > The ssh-add manual states what follows: > > > DISPLAY and SSH_ASKPASS > > > > If ssh-add needs a passphrase, it will read the passphrase from the > > current terminal if it was run from a terminal. If ssh-add does not > > have a terminal asso‐ ciated with it but DISPLAY and SSH_ASKPASS > > are set, it will execute the program specified by SSH_ASKPASS (by > > default ``ssh-askpass )'' and open an X11 window to read the > > passphrase. This is particularly useful when calling ssh-add from a > > .xsession or related script. (Note that on some machines it may be > > necessary to redirect the input from /dev/null to make this work.) > > It turns out that SSH_ASKPASS must be a path to an executable file > which is expected to provide the passphrase on its standard output. I > used it to my advantage and wrote the following shell script in > $HOME/.bin/ssh-askpass, which has exactly the same interface but > invokes pass instead: > > #!/bin/bash > pass ssh/$USER@$HOST | head -n1 > > Then I played with ssh-add and the vanilla ssh-agent, and I found out > that the following line works perfectly, assuming you deactivate the > ssh-agent feature of gpg-agent: > > eval $(SSH_ASKPASS=$HOME/.bin/ssh-askpass \ > keychain --quiet --eval id_rsa </dev/null) > > I put this line in my .bashrc/.zshrc, and keychain will get the > passphrase of ~/.ssh/id_rsa from the output of the command 'pass > ssh/$USER@$HOST | head -n1'. This way, I don't need to copy-paste the > passphrase around, which is nice.
I use the same mechanism to unlock my ssh keys. Albeit I use `ssh-add`
directly instead of `keychain`. I have (nearly) the same
pass-as-ssh-askpass.sh script. Then I set up the environment in my
xinitrc file with these lines:
load_ssh_keys () {
SSH_ASKPASS=`which pass-as-ssh-askpass.sh` \
ssh-add $HOME/.ssh/*id_rsa < /dev/null
}
(sleep 60 && load_ssh_keys &) &
Sorry for writing do late, now you had to find our this stuff on your
own.
Lucas
signature.asc
Description: signature
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
