Commit 1cd6a8663521
Changed files (2)
home
common
shell
systems
common
hardware
home/common/shell/openssh.nix
@@ -16,7 +16,8 @@ in
home.packages = with pkgs; [
sshfs
];
- services.ssh-agent.enable = true;
+ # Using NixOS programs.ssh.startAgent instead (has proper SSH_ASKPASS support for FIDO2)
+ services.ssh-agent.enable = false;
programs.ssh = {
enable = true;
enableDefaultConfig = false;
@@ -47,7 +48,8 @@ in
serverAliveInterval = 60;
hashKnownHosts = true;
userKnownHostsFile = "${config.home.homeDirectory}/.ssh/known_hosts";
- addKeysToAgent = "confirm";
+ # "yes" adds keys without confirmation; FIDO2 touch-required keys still enforce touch at hardware level
+ addKeysToAgent = "yes";
controlMaster = "auto";
controlPersist = "10m";
controlPath = "${config.home.homeDirectory}/.ssh/master-%C";
systems/common/hardware/yubikey.nix
@@ -50,12 +50,21 @@
programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
- # SSH_ASKPASS for FIDO2 PIN prompts
- environment.variables = {
- SSH_ASKPASS = lib.mkForce "${pkgs.openssh-askpass}/libexec/gtk-ssh-askpass";
- SSH_ASKPASS_REQUIRE = "prefer"; # Use askpass when available, fallback to terminal
+ # SSH agent with FIDO2 PIN prompt support
+ # Uses NixOS's startAgent which properly sets SSH_ASKPASS in the agent's environment
+ programs.ssh = {
+ startAgent = true;
+ enableAskPassword = true;
+ askPassword = "${pkgs.openssh-askpass}/libexec/gtk-ssh-askpass";
};
+ # Disable GNOME's gcr-ssh-agent (conflicts with programs.ssh.startAgent)
+ # niri module enables gnome-keyring which enables gcr-ssh-agent by default
+ services.gnome.gcr-ssh-agent.enable = false;
+
+ # SSH_ASKPASS_REQUIRE for the user environment (agent confirmation prompts)
+ environment.variables.SSH_ASKPASS_REQUIRE = "prefer";
+
# Disabled - using FIDO2 keys with ssh-agent instead of PIV with yubikey-agent
services.yubikey-agent.enable = false;
# systemd.packages = [ pkgs.yubikey-agent ];