[solved] using other ssh-askpass application than x11-ssh-askpass

JannF · 2026-03-24 13:24:28

Hey there,

I just wanted to know the correct/best way to use other ssh-askpass applications than x11-ssh-askpass such as the one coming with seahorse.
Plain installing seahorse does not work.
Setting SSH_ASKPASS to /usr/lib/seahorse/ssh-askpass does also not work with the openssh ssh-agent. (fails with fido2 resident keys for me at least)

I already found this topic https://bbs.archlinux.org/viewtopic.php?id=240547 where it is not answered, but rather got a link thrown at by WorMzy .

So, is softlinking /usr/lib/seahorse/ssh-askpass to /usr/lib/ssh/ssh-askpass an elegant solution, or are there any reasons on why this is bad?

Thanks!

Last edited by JannF (2026-03-24 14:39:26)

seth · 2026-03-24 13:37:40

Symlinking stuff is maybe being done because /usr/lib/* isn't in your $PATH

Setting SSH_ASKPASS to /usr/lib/seahorse/ssh-askpass does also not work with the openssh ssh-agent.

What does that mean? How and where do you export the variable? How does it then "not work"?

JannF · 2026-03-24 13:45:25

But all I do is linking from /usr/lib/seahorse/ssh-askpass to /usr/lib/ssh/ssh-askpass and both are not in my PATH.
It rather seems that ssh-add only looks in /usr/lib/ssh for ssh-askpass and ignores the SSH_ASKPASS variable.

I set this variable in ~/.config/environment.d/askpass.conf for my user session.

EDIT: when trying to use a fido resident key (ed25519_sk) with the ssh-agent, it fails with

sign_and_send_pubkey: signing failed for ED25519-SK "/home/xxx/.ssh/id_ed25519_sk" from agent: agent refused operation

Last edited by JannF (2026-03-24 13:55:22)

seth · 2026-03-24 13:47:16

No, but one is hardcoded.

I set this variable in ~/.config/environment.d/askpass.conf for my user session.

To what exact value?

JannF · 2026-03-24 13:49:50

seth wrote:

No, but one is hardcoded.
I set this variable in ~/.config/environment.d/askpass.conf for my user session.
To what exact value?

askpass.conf:

SSH_ASKPASS=/usr/lib/seahorse/ssh-askpass

seth · 2026-03-24 14:04:00

But symlinking works?
"agent refused operation" very much sounds like a different agent is being used but that doesn't work correctly.
I found https://unix.stackexchange.com/question … -operation about seahorse not supporting Ed255519

ssh-add -L

JannF · 2026-03-24 14:14:46

I do not use seahorse, but rather only the ssh-askpass application that comes with it (no X11).
When I symlink it, it works. When I use the SSH_ASKPASS variable, it doesn't.

I know that agent refused operation does not sound like it cannot find the ssh-askpass application, but this is where I narrowed it down.

When I use ssh-add -K to add the key, it asks for the token PIN on the shell without invoking any ssh-askpass application.

JannF · 2026-03-24 14:30:11

Oh boy...
It looks like ssh-add does indeed honor the SSH_ASKPASS variable, but I never unplugged and replugged the token on the first try after a reboot and it was in a state where it just did not work. (most likely usbguard locked screen protection without trusting the token when plugged in on a locked screen)

Now on a clean session plugging in the token, it works.
I feel stupid.

Arch Linux

#1 2026-03-24 13:24:28

[solved] using other ssh-askpass application than x11-ssh-askpass

#2 2026-03-24 13:37:40

Re: [solved] using other ssh-askpass application than x11-ssh-askpass

#3 2026-03-24 13:45:25

Re: [solved] using other ssh-askpass application than x11-ssh-askpass

#4 2026-03-24 13:47:16

Re: [solved] using other ssh-askpass application than x11-ssh-askpass

#5 2026-03-24 13:49:50

Re: [solved] using other ssh-askpass application than x11-ssh-askpass

#6 2026-03-24 14:04:00

Re: [solved] using other ssh-askpass application than x11-ssh-askpass

#7 2026-03-24 14:14:46

Re: [solved] using other ssh-askpass application than x11-ssh-askpass

#8 2026-03-24 14:30:11

Re: [solved] using other ssh-askpass application than x11-ssh-askpass

Board footer