Bash script ssh_askpass error

I have a bash script that includes a git command. I run the script as sudo, and it needs to pull a git repo using my user’s ssh keys:
su -c "git pull" miscguy

It was working fine on 23.05. After upgrading to 23.11 it no longer works and I get an ssh_askpass error.

ssh_askpass: exec(/nix/store/vbap9vbg77ss1y9f9jqsm5nsychsda17-openssh-9.6p1/libexec/ssh-askpass): No such file or directory

Which is not a huge surprise because that path doesn’t exist in the openssh nixos store folder:

[miscguy@nixt15g:~/nixos]$ ls /nix/store/vbap9vbg77ss1y9f9jqsm5nsychsda17-openssh-9.6p1/libexec
sftp-server ssh-keysign ssh-pkcs11-helper ssh-sk-helper

There is now an ssh_askpass folder in the seahorse nixos store floder:

[miscguy@nixt15g:~/nixos]$ ls /nix/store/0nvbpvddxls11bba5p6hfbrkjglb6h4x-seahorse-43.0/libexec/seahorse
ssh-askpass xloadimage

Note that I never configured anything for ssh_askpass; it just worked automatically in 23.05 and I don’t know how to fix it.


I do not think we shipped ssh-askpass with openssh since that would require openssh to depend on a GUI toolkit. Instead we set SSH_ASKPASS environment variable in a NixOS module.

Thanks for your reply. Curiously, SSH_ASKPASS is pointing to the correct location.

[miscguy@nixhq:~]$ env | grep SSH_ASKPASS

Any thoughts on why it still looks for the old path when my script runs su -c "git pull" miscguy? I’m stumped.

ETA: I can rewrite my script to eliminate the need to su if there’s not an easy way to solve this.

su and other privilege elevators filter environment variables for security reasons: without that, an attacker could set up an environment variable to point to a malicious executable behind your back and then, when you elevate a program, it might execute the malicious executable with elevated privilege.

1 Like