Headless SSH passphrase wrangler. Bridges OpenSSH's askpass to pass(1), because typing passphrases eleven times before coffee is a war crime.
- Shell 100%
| .gitignore | ||
| askpass-wrapper.sh | ||
| CHANGELOG.md | ||
| cliff.toml | ||
| LICENSE | ||
| README.md | ||
| release.sh | ||
askpass-wrapper
Headless SSH passphrase wrangler. Bridges OpenSSH's askpass to
pass(1), because typing passphrases
eleven times before coffee is a war crime.
How it works
OpenSSH invokes $SSH_ASKPASS with the prompt as $1, e.g.:
Enter passphrase for /home/holm/.ssh/examplecorp/example-host_ed25519:
Enter passphrase for key '/home/holm/.ssh/id_rsa_example':
The wrapper extracts the key path, derives a pass entry from the path
relative to ~/.ssh/, and prints the passphrase on stdout.
| Key path | Pass entry |
|---|---|
~/.ssh/id_rsa_example |
ssh/id_rsa_example |
~/.ssh/examplecorp/example-host_ed25519 |
ssh/examplecorp/example-host_ed25519 |
Fallback: if ssh/<subpath> doesn't exist, tries ssh/<basename>.
Pass entry format
First line is the passphrase. Anything after that is metadata (comments, related URLs, etc.).
Setup
git clone ssh://git@forgejo.mueller.network:2222/holm.tools.public/askpass-wrapper.git
ln -sfn "$PWD/askpass-wrapper/askpass-wrapper.sh" ~/bin/askpass-wrapper
In ~/.zshrc (or equivalent):
export SSH_ASKPASS="$HOME/bin/askpass-wrapper"
export SSH_ASKPASS_REQUIRE=force
Use with keychain to load keys silently at shell startup:
keychain --quiet --agents ssh --inherit any-once \
~/.ssh/id_ed25519 ~/.ssh/examplecorp/example-host_ed25519 ...
Requirements
bash,grep,printfpass+ a working GPG setup
Lizenz
MIT — Copyright (c) 2026 holm / Christian Müller, unter Zuhilfenahme von Claude 4.7 Opus (Anthropic).
Siehe LICENSE.