From 657bad385749e689826d91d6f02ea2d69cf32c72 Mon Sep 17 00:00:00 2001 From: Michael Farrell Date: Tue, 18 Feb 2025 15:30:45 +1000 Subject: [PATCH 1/2] fix sonoma 14.6+ (#54) --- README.md | 116 ++++++++++++++++++++++++++++++++++++++++------ ssh-askpass.plist | 6 +-- 2 files changed, 103 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 29b4dff..342502d 100644 --- a/README.md +++ b/README.md @@ -12,29 +12,100 @@ Used to accept (or deny) the use of the private key(s) added to the SSH authenti ## Installation ### [Homebrew](https://brew.sh/) -* Run: - ``` - $ brew install theseal/ssh-askpass/ssh-askpass - ``` -* Follow caveats +1. Run: + + ```sh + brew install xquartz theseal/ssh-askpass/ssh-askpass + ``` + + See: [why install XQuartz?](#why-install-xquartz). + +1. Log out and log in again. + +1. Check that the `DISPLAY` environment variable is now set for `ssh-agent` + by XQuartz in "inherited environment": + + ```sh + launchctl print gui/$UID/com.openssh.ssh-agent + ``` + +1. On Apple Silicon Macs, run: + + ```sh + sudo mkdir -p /private/var/select/X11/bin + sudo ln -s /opt/homebrew/bin/ssh-askpass /private/var/select/X11/bin/ + ``` + + On Intel Macs, run: + + ```sh + sudo mkdir -p /private/var/select/X11/bin + sudo ln -s /usr/local/bin/ssh-askpass /private/var/select/X11/bin/ + ``` ### [MacPorts](https://www.macports.org) -* Install: - ``` - $ sudo port install ssh-askpass - ``` +1. Install [XQuartz](https://www.xquartz.org/) from their packages. + + MacPorts package this as well, but they've modified their install to + disable the user LaunchAgent by default. The upstream package just works. + + See: [why install XQuartz?](#why-install-xquartz). + +1. Log out and log in again. + +1. Check that the `DISPLAY` environment variable is now set for `ssh-agent` + by XQuartz in "inherited environment": + + ```sh + launchctl print gui/$UID/com.openssh.ssh-agent + ``` + +1. Run: + + ```sh + sudo port install ssh-askpass + sudo mkdir -p /private/var/select/X11/bin + sudo ln -s /usr/local/bin/ssh-askpass /private/var/select/X11/bin/ + ``` ### Without Homebrew/MacPorts -* Run: -``` -$ cp ssh-askpass /usr/local/bin/ -$ cp ssh-askpass.plist ~/Library/LaunchAgents/ -$ launchctl load -w ~/Library/LaunchAgents/ssh-askpass.plist +1. Install [XQuartz](https://www.xquartz.org/) from their packages. + + See: [why install XQuartz?](#why-install-xquartz). + +1. Log out and log in again, so Apple's `ssh-agent` picks up the `DISPLAY` + environment variables. + +1. Check that the `DISPLAY` environment variable is now set for `ssh-agent` + by XQuartz in "inherited environment": + + ```sh + launchctl print gui/$UID/com.openssh.ssh-agent + ``` + +1. Install `ssh-askpass` to `/private/var/select/X11/bin/`: + + ```sh + sudo mkdir -p /private/var/select/X11/bin + sudo cp ssh-askpass /private/var/select/X11/bin/ + ``` + + macOS has a broken symlink at `/usr/X11R6` to this path, so this + creates it and puts `ssh-askpass` there. + +You should now be able to use it with `ssh-add -c`. + +If some tool does not look for `ssh-askpass` in +`/usr/X11R6/bin/ssh-askpass`, you can a LaunchAgent to provide the path in +the `SSH_ASKPASS` environment variable: + +```sh +cp ssh-askpass.plist ~/Library/LaunchAgents/ +launchctl load -w ~/Library/LaunchAgents/ssh-askpass.plist ``` -* No need to log out; you can add keys to the agent with `ssh-add -c` ## Enabling keyboard navigation For security reasons ssh-askpass defaults to cancel since it's too easy to @@ -54,6 +125,21 @@ ssh-keys. To make it easier to press `OK`: Now you can press ⇥+spacebar to press `OK`. +## Why install XQuartz? + +[Sonoma 14.6 and later block environment variables set by `launchctl setenv` from system LaunchAgents](https://github.com/theseal/ssh-askpass/issues/54#issuecomment-2264396356) +(eg: Apple's `ssh-agent`). + +However, these changes **do not** affect environment variables set by +non-system LaunchAgents using `SecureSocketWithKey`. + +When XQuartz' LaunchAgent is configured correctly, it instructs `launchd` to +setup a socket and expose it with the `DISPLAY` environment variable. + +This also means you can't rely on the `SSH_ASKPASS` environment variable to +tell Apple's `ssh-agent` where `ssh-askpass` is - it must be available at +the default location (`/usr/X11R6/bin/ssh-askpass`). + ## License ISC license diff --git a/ssh-askpass.plist b/ssh-askpass.plist index af9ab75..283b91a 100644 --- a/ssh-askpass.plist +++ b/ssh-askpass.plist @@ -11,10 +11,8 @@ /bin/sh -pc #!/bin/sh -launchctl setenv SSH_ASKPASS "${SSH_ASKPASS:=/usr/local/bin/ssh-askpass}" -launchctl setenv SUDO_ASKPASS "${SUDO_ASKPASS:=/usr/local/bin/ssh-askpass}" -launchctl list org.xquartz.startx >/dev/null || launchctl setenv DISPLAY "${DISPLAY:=ssh-askpass}" # only if not already set by Xquartz -launchctl stop com.openssh.ssh-agent # to make sure it picks up environment +launchctl setenv SSH_ASKPASS "${SSH_ASKPASS:=/private/var/select/X11/bin/ssh-askpass}" +launchctl setenv SUDO_ASKPASS "${SUDO_ASKPASS:=/private/var/select/X11/bin/ssh-askpass}" RunAtLoad From 5f9a8f6f9ba761a5ed94d44b0c539e174d38b82c Mon Sep 17 00:00:00 2001 From: Michael Farrell Date: Mon, 26 May 2025 21:42:19 +1000 Subject: [PATCH 2/2] Update MacPorts paths (thanks @lepus2589) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 342502d..b5fafc7 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ Used to accept (or deny) the use of the private key(s) added to the SSH authenti ```sh sudo port install ssh-askpass sudo mkdir -p /private/var/select/X11/bin - sudo ln -s /usr/local/bin/ssh-askpass /private/var/select/X11/bin/ + sudo ln -s /opt/local/bin/ssh-askpass /private/var/select/X11/bin/ ``` ### Without Homebrew/MacPorts