In this post, I’d like to document how to use ssh-agent in Hyprland to store SSH key passphrases.
This is part of my blog series on Hyprland.
Assuming you use SSH keys protected with a passphrase, each time you use an SSH connection with the SSH key, you are prompted for the passphrase.
You can use ssh-agent and ssh-add.
First, start the agent:
1 |
eval $(ssh-agent) |
Then, use ssh-add to add a specific key (see the documentation) or all the keys:
1 |
ssh-add |
You are prompted for the passphrase, but then, the passphrase is remembered, and you are not asked anymore (unless the lifetime expires, by default, 1 hour).
Unfortunately, this holds only in the current terminal. It works for other applications started from that terminal. For example, if you start Visual Studio from that terminal and you access a Git repository with your SSH key, the passphrase is reused without prompting you. If you start another terminal or program using its launcher, you are prompted for the passphrase again; moreover, in such a situation, the passphrase is not remembered since you should rerun ssh-add.
Instead, I’d like to be prompted for the passphrase only the first time I use ssh; for the current desktop session, I don’t want to enter the passphrase again. Of course, if I reboot, I’m OK with re-entering the passphrase the first time I need it.
In GNOME, you can rely on its keyring to prompt you for the passphrase and store it for the current session or permanently. In KDE, you have a similar mechanism, which, however, has to be appropriately configured (that’s out of the scope of this post).
In Hyprland, you have to set up such mechanisms manually.
The Arch Wiki, as usual, documents an easy solution, which I’ll report here (I haven’t tried alternatives, but this one is pretty easy to set up).
First (https://wiki.archlinux.org/title/SSH_keys#ssh-agent), add this option to your “~/.ssh/config”:
1 |
AddKeysToAgent yes |
This way, all SSH clients, including Git, store keys in the agent on first use.
We must ensure an ssh-agent is automatically started when you enter Hyprland.
Again, the Arch Wiki (https://wiki.archlinux.org/title/SSH_keys#Start_ssh-agent_with_systemd_user) tells you how to do that by starting ssh-agent a systemd user service.
Create this file “~/.config/systemd/user/ssh-agent.service” with these contents:
1 2 3 4 5 6 7 8 9 10 11 12 |
[Unit] Description=SSH key agent [Service] Type=simple Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket # DISPLAY required for ssh-askpass to work Environment=DISPLAY=:0 ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK [Install] WantedBy=default.target |
Then ensure the environment variable “SSH_AUTH_SOCK” is set to “$XDG_RUNTIME_DIR/ssh-agent.socket”. For example, in the Hyperland configuration file:
1 |
env = SSH_AUTH_SOCK,$XDG_RUNTIME_DIR/ssh-agent.socket |
Now, start the service for your user at boot:
1 |
systemctl enable --user ssh-agent.service |
Reboot to ensure the environment variable is set correctly and the service is started.
Try to use ssh, and you will be prompted for your passphrase. Try to use ssh again for that passphrase, and you should not be asked for the passphrase. Start a new terminal, use SSH again, even with Git, and you will not be asked for the passphrase. This also works for other programs that need SSH, for example, Visual Studio Code when accessing a Git repository or Unison when connecting through SSH.
From now on, you’ll be asked for the passphrase only the first time you use ssh from any program and never more for that session.
Stay tuned for more posts about Hyprland. 🙂