commit - 2ebee30b0afc8c8ba521f0bc4e0fa58f40031152
commit + 41556a9848d24a5ffd8d556de111fd6622267b09
blob - /dev/null
blob + 0ff40508590880c6df3b2cd0c5144cc20f671d9f (mode 755)
--- /dev/null
+++ .local/bin/ssh-askpass
@@ -0,0 +1,30 @@
+#!/bin/sh
+# ssh-askpass — GUI passphrase/PIN prompt for ssh-agent / ssh-sk-helper
+# Works on macOS (osascript) and OpenBSD (X11 ssh-askpass).
+
+prompt="${1:-Enter passphrase:}"
+
+case $(uname -s) in
+Darwin)
+	exec osascript \
+		-e 'on run argv' \
+		-e '  display dialog (item 1 of argv) default answer "" with hidden answer buttons {"OK"} default button 1' \
+		-e '  text returned of result' \
+		-e 'end run' \
+		-- "$prompt"
+	;;
+*)
+	# OpenBSD xenocara ships /usr/X11R6/bin/ssh-askpass
+	for _askpass in \
+		/usr/X11R6/bin/ssh-askpass \
+		/usr/lib/ssh/ssh-askpass \
+		/usr/libexec/ssh-askpass; do
+		if [ -x "$_askpass" ]; then
+			exec "$_askpass" "$prompt"
+		fi
+	done
+	# No X11 askpass found — fail clearly
+	printf 'ssh-askpass: no GUI askpass found\n' >&2
+	exit 1
+	;;
+esac
blob - b417521fa2d9facd55bea2260790992b7f68d956
blob + f75c9daefe2e999f80f6fb0168fb0394e0639047
--- .profile
+++ .profile
@@ -83,7 +83,7 @@ esac
 _start_agent() {
 	rm -f "$_agent_sock"
 	eval "$("$_ssh_agent" -a "$_agent_sock")"
-	( umask 0177; echo "$SSH_AGENT_PID" > "$_agent_pid" )
+	( umask 0177; echo "$SSH_AGENT_PID" >| "$_agent_pid" )
 }
 
 export SSH_AUTH_SOCK="$_agent_sock"
@@ -103,9 +103,15 @@ else
 	esac
 fi
 
+# FIDO2/SK keys need a GUI PIN prompt when signing through the agent
+export SSH_ASKPASS="$HOME/.local/bin/ssh-askpass"
+export SSH_ASKPASS_REQUIRE=force
+
 # macOS: tell launchd so GUI apps (KeePassXC) see the right socket
 if [ "$(uname -s)" = Darwin ]; then
 	launchctl setenv SSH_AUTH_SOCK "$SSH_AUTH_SOCK"
+	launchctl setenv SSH_ASKPASS "$SSH_ASKPASS"
+	launchctl setenv SSH_ASKPASS_REQUIRE "$SSH_ASKPASS_REQUIRE"
 fi
 
 unset _agent_sock _agent_pid _ssh_agent