Skip to content

Update instructions for Sonoma 14.6+ (#54) #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Update instructions for Sonoma 14.6+ (#54) #56

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
657bad3
fix sonoma 14.6+ (#54)
micolous Feb 18, 2025
5f9a8f6
Update MacPorts paths (thanks @lepus2589)
micolous May 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 101 additions & 15 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,29 +12,100 @@ Used to accept (or deny) the use of the private key(s) added to the SSH authenti
## Installation

### [Homebrew](https://brew.sh/)
* Run:

```
$ brew install theseal/ssh-askpass/ssh-askpass
```
* Follow caveats
1. Run:

```sh
brew install xquartz theseal/ssh-askpass/ssh-askpass
```

See: [why install XQuartz?](#why-install-xquartz).

1. Log out and log in again.

1. Check that the `DISPLAY` environment variable is now set for `ssh-agent`
by XQuartz in "inherited environment":

```sh
launchctl print gui/$UID/com.openssh.ssh-agent
```

1. On Apple Silicon Macs, run:

```sh
sudo mkdir -p /private/var/select/X11/bin
sudo ln -s /opt/homebrew/bin/ssh-askpass /private/var/select/X11/bin/
```

On Intel Macs, run:

```sh
sudo mkdir -p /private/var/select/X11/bin
sudo ln -s /usr/local/bin/ssh-askpass /private/var/select/X11/bin/
```

### [MacPorts](https://www.macports.org)
* Install:

```
$ sudo port install ssh-askpass
```
1. Install [XQuartz](https://www.xquartz.org/) from their packages.

MacPorts package this as well, but they've modified their install to
disable the user LaunchAgent by default. The upstream package just works.

See: [why install XQuartz?](#why-install-xquartz).

1. Log out and log in again.

1. Check that the `DISPLAY` environment variable is now set for `ssh-agent`
by XQuartz in "inherited environment":

```sh
launchctl print gui/$UID/com.openssh.ssh-agent
```

1. Run:

```sh
sudo port install ssh-askpass
sudo mkdir -p /private/var/select/X11/bin
sudo ln -s /opt/local/bin/ssh-askpass /private/var/select/X11/bin/
```

### Without Homebrew/MacPorts

* Run:
```
$ cp ssh-askpass /usr/local/bin/
$ cp ssh-askpass.plist ~/Library/LaunchAgents/
$ launchctl load -w ~/Library/LaunchAgents/ssh-askpass.plist
1. Install [XQuartz](https://www.xquartz.org/) from their packages.

See: [why install XQuartz?](#why-install-xquartz).

1. Log out and log in again, so Apple's `ssh-agent` picks up the `DISPLAY`
environment variables.

1. Check that the `DISPLAY` environment variable is now set for `ssh-agent`
by XQuartz in "inherited environment":

```sh
launchctl print gui/$UID/com.openssh.ssh-agent
```

1. Install `ssh-askpass` to `/private/var/select/X11/bin/`:

```sh
sudo mkdir -p /private/var/select/X11/bin
sudo cp ssh-askpass /private/var/select/X11/bin/
```

macOS has a broken symlink at `/usr/X11R6` to this path, so this
creates it and puts `ssh-askpass` there.

You should now be able to use it with `ssh-add -c`.

If some tool does not look for `ssh-askpass` in
`/usr/X11R6/bin/ssh-askpass`, you can a LaunchAgent to provide the path in
the `SSH_ASKPASS` environment variable:

```sh
cp ssh-askpass.plist ~/Library/LaunchAgents/
launchctl load -w ~/Library/LaunchAgents/ssh-askpass.plist
```
* No need to log out; you can add keys to the agent with `ssh-add -c`

## Enabling keyboard navigation
For security reasons ssh-askpass defaults to cancel since it's too easy to
Expand All @@ -54,6 +125,21 @@ ssh-keys. To make it easier to press `OK`:

Now you can press ⇥+spacebar to press `OK`.

## Why install XQuartz?

[Sonoma 14.6 and later block environment variables set by `launchctl setenv` from system LaunchAgents](https://github.com/theseal/ssh-askpass/issues/54#issuecomment-2264396356)
(eg: Apple's `ssh-agent`).

However, these changes **do not** affect environment variables set by
non-system LaunchAgents using `SecureSocketWithKey`.

When XQuartz' LaunchAgent is configured correctly, it instructs `launchd` to
setup a socket and expose it with the `DISPLAY` environment variable.

This also means you can't rely on the `SSH_ASKPASS` environment variable to
tell Apple's `ssh-agent` where `ssh-askpass` is - it must be available at
the default location (`/usr/X11R6/bin/ssh-askpass`).

## License
ISC license

Expand Down
6 changes: 2 additions & 4 deletions ssh-askpass.plist
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,8 @@
<string>/bin/sh</string>
<string>-pc</string>
<string>#!/bin/sh
launchctl setenv SSH_ASKPASS "${SSH_ASKPASS:=/usr/local/bin/ssh-askpass}"
launchctl setenv SUDO_ASKPASS "${SUDO_ASKPASS:=/usr/local/bin/ssh-askpass}"
launchctl list org.xquartz.startx >/dev/null || launchctl setenv DISPLAY "${DISPLAY:=ssh-askpass}" # only if not already set by Xquartz
launchctl stop com.openssh.ssh-agent # to make sure it picks up environment
launchctl setenv SSH_ASKPASS "${SSH_ASKPASS:=/private/var/select/X11/bin/ssh-askpass}"
launchctl setenv SUDO_ASKPASS "${SUDO_ASKPASS:=/private/var/select/X11/bin/ssh-askpass}"
</string>
</array>
<key>RunAtLoad</key>
Expand Down