From b884ddb6342e740b58981fb1eb04191509cd2e99 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 18 Oct 2024 12:02:19 +0900 Subject: [PATCH 1/4] Set $SSH_ASKPASS as same as $RCLONE_PASSWORD_COMMAND --- home-manager/ssh.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/home-manager/ssh.nix b/home-manager/ssh.nix index e15cef4ff..3fa74cd54 100644 --- a/home-manager/ssh.nix +++ b/home-manager/ssh.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ pkgs, config, ... }: let # SSH files cannot use XDG Base Directory. @@ -19,6 +19,12 @@ in # Prefer gpg-agent for SSH agent role services.ssh-agent.enable = false; + home.sessionVariables = { + # 'force' ignores $DISPLAY. 'prefer' is not enough + SSH_ASKPASS_REQUIRE = "force"; + SSH_ASKPASS = "${pkgs.lib.getExe pkgs.pass} show ssh-pass"; + }; + # https://github.com/nix-community/home-manager/blob/release-24.05/modules/programs/ssh.nix programs.ssh = { enable = true; From 503caf8abff9c0ea2f7c037323246049843615d8 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 18 Oct 2024 12:27:31 +0900 Subject: [PATCH 2/4] Switch back to ssh-agent from gpg-agent This partially reverts GH-814 However ssh passphrase will be kept by the SSH_ASKPASS and gpg encrypted command --- README.md | 1 - home-manager/gpg.nix | 2 +- home-manager/ssh.nix | 3 +-- nixos/configuration.nix | 4 ---- nixos/desktop/default.nix | 2 +- 5 files changed, 3 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 9f0adef42..4b9051484 100644 --- a/README.md +++ b/README.md @@ -155,7 +155,6 @@ Check [traps](./windows/Multi-booting.md) ```bash touch ~/.ssh/id_ed25519 && chmod 400 ~/.ssh/id_ed25519 hx ~/.ssh/id_ed25519 - gpg-connect-agent updatestartuptty /bye ssh-add ~/.ssh/id_ed25519 ``` diff --git a/home-manager/gpg.nix b/home-manager/gpg.nix index 002ef5519..acb608b7a 100644 --- a/home-manager/gpg.nix +++ b/home-manager/gpg.nix @@ -38,7 +38,7 @@ in pinentryPackage = pkgs.pinentry-tty; - enableSshSupport = true; + enableSshSupport = false; }; # https://github.com/nix-community/home-manager/blob/release-24.05/modules/programs/gpg.nix diff --git a/home-manager/ssh.nix b/home-manager/ssh.nix index 3fa74cd54..f77a246b6 100644 --- a/home-manager/ssh.nix +++ b/home-manager/ssh.nix @@ -16,8 +16,7 @@ in # - id_*.pub: I CAN register them for different services. { # https://github.com/nix-community/home-manager/blob/release-24.05/modules/services/ssh-agent.nix - # Prefer gpg-agent for SSH agent role - services.ssh-agent.enable = false; + services.ssh-agent.enable = pkgs.stdenv.isLinux; home.sessionVariables = { # 'force' ignores $DISPLAY. 'prefer' is not enough diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 4ee8ca7bf..75c99b20f 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -140,10 +140,6 @@ # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; # List services that you want to enable: diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index 8fa8ba785..c85155b88 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -85,7 +85,7 @@ gnome-music # does not support flac by defaults ]); - # Recommended to be uninstalled by gnupg. + # Recommended to be uninstalled by gnupg. I prefer this way, even though disabling gpg-agent ssh integrations. # https://wiki.gnupg.org/GnomeKeyring # # And enabling this makes $SSH_AUTH_SOCK overriding even through enabled gpg-agent in home-manager From 3633678f46c64d4927649cd4a101f0a175511502 Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 18 Oct 2024 12:36:39 +0900 Subject: [PATCH 3/4] Fix how to wrap the SSH_ASKPASS --- home-manager/ssh.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/home-manager/ssh.nix b/home-manager/ssh.nix index f77a246b6..9a955aaa1 100644 --- a/home-manager/ssh.nix +++ b/home-manager/ssh.nix @@ -21,7 +21,14 @@ in home.sessionVariables = { # 'force' ignores $DISPLAY. 'prefer' is not enough SSH_ASKPASS_REQUIRE = "force"; - SSH_ASKPASS = "${pkgs.lib.getExe pkgs.pass} show ssh-pass"; + SSH_ASKPASS = pkgs.lib.getExe ( + pkgs.writeShellApplication { + name = "ssh-ask-pass"; + text = "pass show ssh-pass"; + meta.description = "GH-714. Required to be wrapped with one command because of SSH_ASKPASS does not accepts arguments."; + runtimeInputs = with pkgs; [ pass ]; + } + ); }; # https://github.com/nix-community/home-manager/blob/release-24.05/modules/programs/ssh.nix From 9eb661dc14d3db2661fe8ce08471afa6352f2dbd Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 18 Oct 2024 12:46:06 +0900 Subject: [PATCH 4/4] Fix typo --- home-manager/ssh.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home-manager/ssh.nix b/home-manager/ssh.nix index 9a955aaa1..6206243c9 100644 --- a/home-manager/ssh.nix +++ b/home-manager/ssh.nix @@ -25,7 +25,7 @@ in pkgs.writeShellApplication { name = "ssh-ask-pass"; text = "pass show ssh-pass"; - meta.description = "GH-714. Required to be wrapped with one command because of SSH_ASKPASS does not accepts arguments."; + meta.description = "GH-714. Required to be wrapped with one command because of SSH_ASKPASS does not accept arguments."; runtimeInputs = with pkgs; [ pass ]; } );