I have a keepassXC password store that contains both the SSH private key and its password.
In order to import it to ssh-agent in a headless setup, keepassxc-cli needs to be used.
To extract the key, one would use something like
keepassxc-cli attachment-export --stdout -- /pass.kdbx 'entry title' attachment_id
and to get its password:
keepassxc-cli show --attributes password -- /pass.kdbx 'entry title'
Note both of the invocations require typing in the password vault's own secret, i.e. one cli invocation does not result in the password vault staying unlocked for the subsequent calls.
With this setup, is it possible to add the key to ssh-add?
Something like this looks like could work:
keepassxc-cli attachment-export --stdout -- /pass.kdbx 'entry title' \
attachment_id | SSH_ASKPASS_REQUIRE=force SSH_ASKPASS="/p.sh" ssh-add -
where p.sh contains:
keepassxc-cli show --attributes password -- /pass.kdbx 'entry title'
However p.sh fails; believe it is due to keepassxc-cli expecting reply in stdin that gets immediately closed by ssh-add:
Enter password to unlock /pass.kdbx:
< // password is typed>
Enter password to unlock /pass.kdbx:
< // prompt stays for ~1sec, then following is printed:>
Error while reading the database: Invalid credentials were provided, please try again.
If this reoccurs, then your database file may be corrupt. (HMAC mismatch)```
</dev/tty keepassxc-cli …then?