me like nix
timeout yubikey ssh before agent fallback
author
Sean Aye
date
(Jun 15, 2026, 9:53 PM -0400)
commit
f3e266ed
f3e266ed0193491c4182d3d197ee25a722bc91ea
parent
a3d801a9
a3d801a9e329e8e2cb8a21dd170390948a33bbdd
change-id
uulxxmor
uulxxmorsskqnstxxlvuozvoyotxxyun
+23
-7
+23
-7
modules/editor.nix
+23
-7
modules/editor.nix
···
8
8
ssh=${pkgs.openssh}/bin/ssh
9
9
yubi_key="''${YUBIKEY_SSH_KEY:-$HOME/.ssh/id_ed25519_sk_rk}"
10
10
op_sock="''${ONEPASSWORD_SSH_AUTH_SOCK:-$HOME/.1password/agent.sock}"
11
+
yubi_timeout="''${YUBIKEY_SSH_TIMEOUT:-8}"
11
12
err_file="$(${pkgs.coreutils}/bin/mktemp -t yubikey-ssh.XXXXXX)"
12
13
trap '${pkgs.coreutils}/bin/rm -f "$err_file"' EXIT
13
14
14
-
# First try the local security-key identity without any agent. This
15
-
# makes the YubiKey win over whatever identities 1Password exposes.
16
-
if [ -r "$yubi_key" ]; then
17
-
if "$ssh" \
15
+
try_yubikey() {
16
+
${pkgs.coreutils}/bin/timeout --foreground "$yubi_timeout" \
17
+
"$ssh" \
18
18
-o IdentityAgent=none \
19
19
-o IdentitiesOnly=yes \
20
20
-o PreferredAuthentications=publickey \
21
21
-i "$yubi_key" \
22
-
"$@" 2>"$err_file"; then
22
+
"$@"
23
+
}
24
+
25
+
# First try the local security-key identity without any agent. This
26
+
# makes the YubiKey win over whatever identities 1Password exposes.
27
+
# If the security-key path hangs, fall back after YUBIKEY_SSH_TIMEOUT
28
+
# seconds rather than blocking git/jj forever.
29
+
if [ -r "$yubi_key" ]; then
30
+
if [ -n "''${YUBIKEY_SSH_DEBUG:-}" ]; then
31
+
try_yubikey "$@"
32
+
else
33
+
try_yubikey "$@" 2>"$err_file"
34
+
fi
35
+
status=$?
36
+
37
+
if [ "$status" -eq 0 ]; then
23
38
exit 0
24
39
fi
25
40
26
-
status=$?
27
-
if ! ${pkgs.gnugrep}/bin/grep -Eiq 'permission denied|sign_and_send_pubkey|device not found|no such device|agent refused|security key|authenticat' "$err_file"; then
41
+
# 124 = timeout, 137 = timeout killed after TERM was ignored.
42
+
# Treat both as "YubiKey unavailable" and fall back to the agent.
43
+
if [ "$status" -ne 124 ] && [ "$status" -ne 137 ] && ! ${pkgs.gnugrep}/bin/grep -Eiq 'permission denied|sign_and_send_pubkey|device not found|no such device|agent refused|security key|authenticat' "$err_file"; then
28
44
${pkgs.coreutils}/bin/cat "$err_file" >&2
29
45
exit "$status"
30
46
fi