Accessing SSH key path using SSH_ASKPASS and passwordstore

Tue Oct 6 12:40:35 AEDT 2020

Hello,

With the introduction of SSH_ASKPASS_REQUIRE in version 8.4, I've set
up a script for SSH_ASKPASS to query my local passwordstore
(https://www.passwordstore.org/) vault to retrieve the password for a
given key. This works for ssh-add as well as ssh (configured with
AddKeysToAgent set to 'yes'). My workflow effectively transforms into
entering the password for the GPG key used to encrypt my vault for any
given key. It works especially well now that I don't have to alter
DISPLAY and confuse gpg's pin input inference. Thanks for that
enhancement!

The tricky part here is the way I have to figure out which key is
being unlocked. I was initially only working with ssh-add, so it
seemed trivial to just deal with the input to a script acting as a
wrapper and feed that to the askpass script as an environment
variable. When I realized I could also take advantage of
AddKeysToAgent and simply call ssh, I had to change my strategy given
that the path to the key being unlocked does not appear to get passed
separately to my script; rather it's just given a prompt that happens
to contain the path to the key. Using this knowledge I just have my
script infer the path using sed.

This strategy works, but I noticed that when you call ssh (with
AddKeysToAgent set to 'yes') vs ssh-add, the prompts are slightly
different:

$ ssh user at host
Enter passphrase for key '/home/user/.ssh/id_ed25519_somekey':

$ ssh-add /home/user/.ssh/id_ed25519_somekey
Enter passphrase for /home/user/.ssh/id_ed25519_somekey:

Notice the single quotes around the path in the prompt when calling
ssh. I'm not sure if that's a bug with regard to consistency. I was
able to modify the regex to account for this difference, but overall I
wondered if this couldn't be improved. For my usage, it would be great
to receive the path to the key as another askpass argument.
Alternatively I could also envision accessing this information as an
environment variable.

I understand that my use-case may diverge too greatly from the
original intentions for this component, but I thought I'd ask anyway
in case I'm either doing something wrong or missing out on another
feature. What I have currently works, but I fear it leaves me prone to
breaking changes later on.

I've included my askpass script below. Also just to note, I'm running
on Arch, but I've confirmed these behaviors in the GitHub repo.

Thanks,
John

pass-askpass.sh
---
#!/usr/bin/env bash
# This translates "Enter passphrase for
/home/user/.ssh/id_ed25519_somekey:" to "id_ed25519_somekey"
# It also accounts for the case where the path is surrounded by single
quotes in the prompt
key_filename="$(echo "$1" | sed -e "s/^.*\/\(.*\)'*:.*$/\1/")"

# Assume we store all our keys in one folder in pass, and they are all
uniquely identifiable
# This will result in a prompt for my GPG key password to retrieve the
SSH key password
pass "${PASS_SSH_FOLDER:-SSH}/${key_filename}" | head -n1