Using KeePassXC with SSH-Agent on OpenBSD

       365 words, 2 minutes

I’m using KeePassXC to manage my secrets. But when I log into my OpenBSD laptop, I’m still asked to enter my SSH passphrase to fill-in ssh-agent(1). Somehow, it’s great ; maybe other system don’t even propose that feature out of the box. But what if KeePassXC could know about my passphrase(s) and interact with ssh-agent(1). Well, it can.

Run ssh-agent(1)

On OpenBSD, ssh-agent(1) is natively run when you log in via xenodm. Then ssh-add(1) is called if you have any SSH keys.

Half the work is already done. Simply disable ssh-add(1) ; when required, your keys shall be managed by KeePassXC.

--- /etc/X11/xenodm/Xsession.orig	Mon Oct  5 02:47:52 2020
+++ /etc/X11/xenodm/Xsession	Sun Jan  9 14:28:27 2022
@@ -33,7 +33,7 @@
 	if [ -x /usr/bin/ssh-agent ] && [ -f $id1 -o -f $id2 -o -f $id3 -o -f $id4 -o -f $id5 ];
 		eval `ssh-agent -s`
-		ssh-add < /dev/null
+		#ssh-add < /dev/null

If you were not using OpenBSD and/or xenodm, you’d have to run eval `ssh-agent -s` somewhere during your X session.

Configure KeePassXC

Start KeePassXC and and select the Tools / Settings menu.

Click the “SSH Agent” icon and check the “Enable SSH Agent integration” option. If ssh-agent(1) is started properly, you’ll get an ack message.

Register the SSH keys

Close the settings window and “Add a new entry” to KeePassXC.


From now on, simply unlock KeePassXC and connect to the remote host using SSH. You shall get a confirmation message if you’ve configured it. And you’ll be automagically logged in.