How to get "Enter passphrase" on command line rather than GUI pop-up?

Jochen Bern Jochen.Bern at binect.de
Wed Jan 3 19:35:26 AEDT 2024 

On 02.01.24 10:37, Chris Green wrote:
> It's started by gnome-keyring-daemon which is handy because it uses my
> login password to unlock my default passphrase, thus I don't need to
> enter a passphrase explicitly when running my GUI desktop.
> 
> It's only because I want to use a *different* key/passphrase pair for
> some systems that I have hit this issue of ssh-agent using a GUI
> pop-up to ask for a passphrase.

Now *that* sounds like the practical thing to do is to have only the 
shells/terminals used for *those* tasks decoupled from your agent 
running centrally in the background. (Which, as you already discovered, 
can be done by unsetting $SSH_AUTH_SOCK in those shells.)

> Do SSH_ASKPASS and SSH_ASKPASS_REQUIRE affect ssh-agent directly?
> There's nothing in the man page indicating this.

I'd guess that they do, but that's irrelevant: Since the agent is not 
running in a shell/terminal, it *cannot* ask you for the passphrase on 
any command line instead, much less the one you're running the "ssh" from.

You could instead control the agent's behaviour by un- and reloading 
privkeys with "ssh-add" before "ssh"ing, but that's hardly a UX improvement.

> I guess the need to specify the key file is a result of [...]

OpenSSH will autoload keypairs from a number of defined pathes, but what 
seems to be the one you're using here ($HOME/backup_id_rsa) is not one 
of them, so you'll always have to point your login procedure at that 
file *somehow/-time*.

(In fact, having additional keypairs at the default pathes might be 
detrimental if you want your "ssh" to fall back to a specified one, 
because ssh will try them automatically, every time ssh asks sshd "would 
you be willing to accept *this* keypair?" counts as a failed login 
attempt (long-standing bug), and sshd limits the number of attempts 
it'll let the client have in the one TCP connection (MaxAuthTries config).)

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240103/182fe017/attachment.p7s>

More information about the openssh-unix-dev mailing list