Split ssh configuration fails in 4.3

rrn · September 10, 2025, 5:06pm

I have a working split-ssh configuration for a long time. Recently, after upgrading to 4.3 with a clean install, and reapplying SshAgent policy in dom0,

I try this in the previously working appvm:

$ ssh -T git@github.com
sign_and_send_pubkey: signing failed for ED25519 "/home/user/.ssh/id_ed25519_github" from agent: agent refused operation
git@ssh.github.com: Permission denied (publickey).

in the meantime, my dom0 python popup appears and gets confirmation in the same way it did in 4.2. However, I see these line in my ssh backend:

qrexec-client-vm[940]: Unknown hint "sender-pid", ignoring
qrexec-client-vm[940]: Message sent to server
qrexec-client-vm[940]: 16 bytes read!
ssh-askpass[1607]: cannot open display:

However, I can list ssh keys from the app vm (ssh client vm) and on the ssh backend vm correctly by using ssh-add -L.

rrn · September 10, 2025, 5:23pm

This was due to the fact that the ssh-agent.service has SSH_ASKPASS_REQUIRE=force in its environment.
I have created an override for that, and the ssh-askpass no longer appears in the log, but the issue about split-ssh still persists.

rrn · September 10, 2025, 6:04pm

Resolved by disabling and masking gcr-ssh-agent and using a non-gui ssh agent in the ssh backend (vault) vm instead.

solene · September 12, 2025, 6:38am

I understand that the current guide might require a change. Thanks for sharing the solution.

wizard · September 25, 2025, 2:57pm

Hey,

just install package ksshaskpass in your ssh-vault VM (or template)

For my fedora-42-template work it:

doas dnf install ksshaskpass