KeepassXC + SSH
I use KeepassXC to store my SSH keys, and with a bit of configuration I can hit one hotkey to add a key to my agent, and then another hotkey to open my preferred shell ssh’ing to the target. Here’s how I do it!
I have maybe a dozen machines I need to connect to on a regular basis and rather than configuring a bunch of sessions in something like Remmina I’ve found KeepassXC can do everything I need to both manage keys and make it easy to launch sessions attaching to those hosts.
Basic key management with KeepassXC is pretty straight forward:
- Create an entry in KeepassXC for the host.
- Fire up ssh-keygen and generate a new private key for the target host using a randomly generated, secure password1.
- Add the new key as a file attachment to the Keepass entry.
- Set the ssh key for the Keepass entry to the attached file.
- Set the password for the entry to the password for the key.
- Set the URL for the entry to
ssh://[user]@[host][:optional port].
KeepassXC comes with built in ssh agent integration, so you can select an entry and press C-h to add the key to the agent. At this point you could just fire up a terminal and ssh to the host manually.
However, KeepassXC also lets you press C-S-u to open the configured URL for the entry using xdg-open. The trouble is, by default, “ssh://” URLs don’t do anything. However, this is solvable with just a little bit of work.
Now, in my case, this is where jaro comes in.
Jaro is a highly flexible resource opener. You call it with a resource (e.g. a file name, URL, etc), and it’ll look into its list of configured associations and take some action.
In my case I set up a couple of associations as follows:
(assoc
#:pattern "^ssh://((.*@)?(.*?)):([0-9]+)$"
#:program "/path/to/kitty -o term=\"xterm-256color\" -o shell=\"/usr/bin/ssh -p %4 %1\"")
(assoc
#:pattern "^ssh://((.*@)?(.*?))$"
#:program "/path/to/kitty -o term=\"xterm-256color\" -o shell=\"/usr/bin/ssh %1\"")
The first pattern matches ssh URLs that include a port, and the second matches URLs without one. The rules then fire up kitty with ssh as the shell connecting to the desired host and port.
Next, we create a jaro.desktop file:
[Desktop Entry]
Name=jaro
GenericName=URL opener
Terminal=false
Exec=jaro %U
Type=Application
Categories=Utility;
And drop it into .local/share/applications.
Finally, we add the following line to .config/mimeapps.list:
x-scheme-handler/ssh=jaro.desktop
Now, upon pressing C-S-u, KeepassXC will use xdg-open to open the configured ssh:// URL, which, based on mimeapps.list launches jaro, which then consults the configured associations and fires up ssh in my preferred terminal.
I know this all sounds like a bit much, but I cannot tell you how incredibly convenient this is! Connecting to one of the many machines I admin is now a simple matter of opening KeepassXC, searching for the host name, selecting it and pressing C-h, C-S-u. Super handy!
-
And don’t forget to use a good, strong cipher. I’ve personally moved all my hosts to ed25519 ECC keys. ↩