sinewalker
12/19/2018 - 10:50 PM

Get passphrase for an SSH key from password store, securely

Get passphrase for an SSH key from password store, securely

This should be a blog post, and I'll make it one when I have more than 5 mins to spare. For instance these examples are hard-coded for my github SSH key, rather than parameterised.

Based on this SO question

Rather than use pass -c to copy an SSH key passphrase to your system clipboard and then paste it at the ssh-askpass prompt (which is not very secure: any program can read the clipboard), you can use an SSH_ASKPASS script to retrieve the passphrase from password store and give it to ssh-add.

  1. Make a script that retrieves the passphrase from pass (which in turn will prompt for a master passphrase if needed, via GnuPG PinEntry):
#!/bin/bash
pass github/sinewalker|head -1
  1. Use this as the $SSH_ASKPASS script to ssh-add. Note the extra $DISPLAY environment variable and redirection trickery to convince ssh-add to use the script:
#!/bin/bash
export DISPLAY=dummy
export SSH_ASKPASS=/path/to/above/script
ssh-add /path/to/keys/github < /dev/null