This should be a blog post, and I'll make it one when I have more than 5 mins to spare. For instance these examples are hard-coded for my github SSH key, rather than parameterised.
Based on this SO question
Rather than use pass -c
to copy an SSH key passphrase to your system clipboard and then paste it at the ssh-askpass prompt (which is not very secure: any program can read the clipboard), you can use an SSH_ASKPASS
script to retrieve the passphrase from password store and give it to ssh-add
.
- Make a script that retrieves the passphrase from
pass
(which in turn will prompt for a master passphrase if needed, via GnuPG PinEntry):
#!/bin/bash
pass github/sinewalker|head -1
- Use this as the
$SSH_ASKPASS
script tossh-add
. Note the extra$DISPLAY
environment variable and redirection trickery to convince ssh-add to use the script:
#!/bin/bash
export DISPLAY=dummy
export SSH_ASKPASS=/path/to/above/script
ssh-add /path/to/keys/github < /dev/null