Seahorse overriding ssh-askpass

phg · October 31, 2020, 9:53am

Seahorse / gnome-keyring appear to have hijacked my SSH askpass. When I run
git fetch I get:

26692 execve("/nix/store/a19glxiarwaammrj43z1kgbq81vk0v8k-seahorse-3.36.2/libexec/seahorse/ssh-askpass", ["/nix/store/a19glxiarwaammrj43z1k"..., "Username for 'https://github.com"...], 0xcf13d0 /* 91 vars */ <unfinished ...>

I’m on 20.09; this didn’t exist on 20.03. I’ve got this in my config:

programs.ssh.askPassword = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";
…
programs.seahorse.enable = false;
services.gnome3.gnome-keyring.enable = false;
security.pam.services.lightdm.enableGnomeKeyring = false;

and ran a nixos-rebuild switch to no avail. Strace shows it doesn’t even
attempt to exec the x11 askpass binary. x11_ssh_askpass is installed system
wide; passing SSH_ASKPASS=… with the path through envp works.

I’m not running gnome; I think the whole gnome stuff is being pulled in through
the fractal package. Otherwise it’s unneeded and frankly, unwanted.

How can I get the normal askpass behavior back while still being able to run
fractal?

zimbatm · October 31, 2020, 10:07am

What do you get for type ssh-askpass? Maybe seahorse was added to /run/current-system/sw/bin and something is not respecting the environment variable.
What do you get for env | grep SSH. It could be that a different SSH agent is running, or that the SSH_ASKPASS variable gets overwritten somehow.

phg · October 31, 2020, 10:16am

There’s no ssh-askpass in PATH.

Now that you mention it:

SSH_ASKPASS=/nix/store/a19glxiarwaammrj43z1kgbq81vk0v8k-seahorse-3.36.2/libexec/seahorse/ssh-askpass

In a fresh login shell I correctly get the x11-ssh-askpass there. Looks like
I’m going to have to ditch my X11 session for the change to be applied.

Saying good bye to 33 xterm sessions …

Thanks!