Commit `b03c1ddf982a`

Vincent Demeester <vincent@sbr.pm>

2026-01-29 19:11:37

feat(ssh): add SSH_ASKPASS for FIDO2 PIN prompts and update git signing key

- Add openssh-askpass (GTK) for FIDO2 PIN prompts during ssh-add -K - Configure SSH_ASKPASS and SSH_ASKPASS_REQUIRE environment variables - Update git signing key from PIV (ECDSA) to FIDO2 resident key (ssh:personal) - Update allowed_signers with new FIDO2 public key Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

main

1 parent 3db5d67

Changed files (2)

home

common

shell

git.nix

systems

common

hardware

yubikey.nix

@@ -28,7 +28,8 @@ let
     "src/knative-sandbox"
   ];
   sshkeyPerHost = {
-    kyushu = "${pkgs.writeText "yubikey5-c1" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGHMa4rHuBbQQYv+8jvlkFCD2VYRGA4+5fnZAhLx8iDirzfEPqHB60UJWcDeixnJCUlpJjzFbS4crNOXhfCTCTE="}";
+    # FIDO2 resident key (ssh:personal) - no touch required for signing
+    kyushu = "${pkgs.writeText "yubikey5-fido2" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ0HEuDwEL1fX0VR35ttJQNRYYFjIiOv8ZWtl419Ddt0AAAADHNzaDpwZXJzb25hbA== ssh:personal"}";
     aomi = "${pkgs.writeText "aomi" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJmTdMKYdgqpbQWBif58VBuwX+GqMGsMfB1ey1TKrM3 vincent@aomi"}";
   };
   defaultSSHKey = sshkeyPerHost.kyushu;
@@ -41,7 +42,7 @@ let
   # List of allowed SSH signing keys for git commit verification
   allowedSigners = ''
     vincent@aomi ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJmTdMKYdgqpbQWBif58VBuwX+GqMGsMfB1ey1TKrM3
-    vincent@kyushu ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGHMa4rHuBbQQYv+8jvlkFCD2VYRGA4+5fnZAhLx8iDirzfEPqHB60UJWcDeixnJCUlpJjzFbS4crNOXhfCTCTE=
+    vincent@kyushu sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJ0HEuDwEL1fX0VR35ttJQNRYYFjIiOv8ZWtl419Ddt0AAAADHNzaDpwZXJzb25hbA==
   '';
 in
 {

@@ -13,6 +13,7 @@
       yubikey-personalization
       yubikey-manager
       yubikey-agent
+      openssh-askpass # GTK askpass for FIDO2 PIN prompts
     ]
     ++ lib.optionals (builtins.isString desktop) [
       yubioath-flutter # Maybe not necessary
@@ -48,6 +49,13 @@
   };
 
   programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
+
+  # SSH_ASKPASS for FIDO2 PIN prompts
+  environment.variables = {
+    SSH_ASKPASS = lib.mkForce "${pkgs.openssh-askpass}/libexec/gtk-ssh-askpass";
+    SSH_ASKPASS_REQUIRE = "prefer"; # Use askpass when available, fallback to terminal
+  };
+
   # Disabled - using FIDO2 keys with ssh-agent instead of PIV with yubikey-agent
   services.yubikey-agent.enable = false;
   # systemd.packages = [ pkgs.yubikey-agent ];

Commit b03c1ddf982a

Commit `b03c1ddf982a`