ssh-agent: Fix asking for confirmation via $SSH_ASKPASS

This was lost back in
ffedee6ed523864dd5f871ffd85e3c2099d579a2. Getting this to work is
slightly tricky because ssh-agent runs as a user unit, and so doesn't
know the user's $DISPLAY.
This commit is contained in:
Eelco Dolstra 2015-02-25 14:29:24 +01:00
parent 93902ea108
commit 36d0f367de
2 changed files with 27 additions and 2 deletions

View File

@ -4,8 +4,19 @@
with lib;
let cfg = config.programs.ssh;
cfgd = config.services.openssh;
let
cfg = config.programs.ssh;
cfgd = config.services.openssh;
askPassword = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";
askPasswordWrapper = pkgs.writeScript "ssh-askpass-wrapper"
''
#! ${pkgs.stdenv.shell} -e
export DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^DISPLAY=\(.*\)/\1/; t; d')"
exec ${askPassword}
'';
in
{
@ -117,6 +128,11 @@ in
Restart = "on-failure";
SuccessExitStatus = "0 2";
};
# Allow ssh-agent to ask for confirmation. This requires the
# unit to know about the user's $DISPLAY (via systemctl
# import-environment).
environment.SSH_ASKPASS = optionalString config.services.xserver.enable askPasswordWrapper;
environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
};
environment.extraInit = optionalString cfg.startAgent
@ -126,5 +142,10 @@ in
fi
'';
environment.interactiveShellInit = optionalString config.services.xserver.enable
''
export SSH_ASKPASS=${askPassword}
'';
};
}

View File

@ -89,6 +89,10 @@ let
${config.hardware.pulseaudio.package}/bin/pactl load-module module-device-manager "do_routing=1"
''}
# Tell systemd about our $DISPLAY. This is needed by the
# ssh-agent unit.
${config.systemd.package}/bin/systemctl --user import-environment DISPLAY
# Load X defaults.
${xorg.xrdb}/bin/xrdb -merge ${xresourcesXft}
if test -e ~/.Xresources; then