commit 41556a9848d24a5ffd8d556de111fd6622267b09 from: Sara Burke date: Sat Mar 7 15:29:56 2026 UTC add keepass prompt helper on macos commit - 2ebee30b0afc8c8ba521f0bc4e0fa58f40031152 commit + 41556a9848d24a5ffd8d556de111fd6622267b09 blob - /dev/null blob + 0ff40508590880c6df3b2cd0c5144cc20f671d9f (mode 755) --- /dev/null +++ .local/bin/ssh-askpass @@ -0,0 +1,30 @@ +#!/bin/sh +# ssh-askpass — GUI passphrase/PIN prompt for ssh-agent / ssh-sk-helper +# Works on macOS (osascript) and OpenBSD (X11 ssh-askpass). + +prompt="${1:-Enter passphrase:}" + +case $(uname -s) in +Darwin) + exec osascript \ + -e 'on run argv' \ + -e ' display dialog (item 1 of argv) default answer "" with hidden answer buttons {"OK"} default button 1' \ + -e ' text returned of result' \ + -e 'end run' \ + -- "$prompt" + ;; +*) + # OpenBSD xenocara ships /usr/X11R6/bin/ssh-askpass + for _askpass in \ + /usr/X11R6/bin/ssh-askpass \ + /usr/lib/ssh/ssh-askpass \ + /usr/libexec/ssh-askpass; do + if [ -x "$_askpass" ]; then + exec "$_askpass" "$prompt" + fi + done + # No X11 askpass found — fail clearly + printf 'ssh-askpass: no GUI askpass found\n' >&2 + exit 1 + ;; +esac blob - b417521fa2d9facd55bea2260790992b7f68d956 blob + f75c9daefe2e999f80f6fb0168fb0394e0639047 --- .profile +++ .profile @@ -83,7 +83,7 @@ esac _start_agent() { rm -f "$_agent_sock" eval "$("$_ssh_agent" -a "$_agent_sock")" - ( umask 0177; echo "$SSH_AGENT_PID" > "$_agent_pid" ) + ( umask 0177; echo "$SSH_AGENT_PID" >| "$_agent_pid" ) } export SSH_AUTH_SOCK="$_agent_sock" @@ -103,9 +103,15 @@ else esac fi +# FIDO2/SK keys need a GUI PIN prompt when signing through the agent +export SSH_ASKPASS="$HOME/.local/bin/ssh-askpass" +export SSH_ASKPASS_REQUIRE=force + # macOS: tell launchd so GUI apps (KeePassXC) see the right socket if [ "$(uname -s)" = Darwin ]; then launchctl setenv SSH_AUTH_SOCK "$SSH_AUTH_SOCK" + launchctl setenv SSH_ASKPASS "$SSH_ASKPASS" + launchctl setenv SSH_ASKPASS_REQUIRE "$SSH_ASKPASS_REQUIRE" fi unset _agent_sock _agent_pid _ssh_agent