Keepassxc: "Require user confirmation when this key is used" causes SSH Agent signing failed

Does user confirmation work when you add the key manually with ssh-add -c outside KeePassXC? Is they key actually on the agent when you list the loaded keys with ssh-add -l?

It's likely the issue is with OpenSSH and confirmation on macOS meaning OpenSSH doesn't have any "askpass" binary that can be launched.

I get the same error on my macos install and the key is loaded for me, but I will need to check your other questions when I boot back into macos.

It's likely the issue is with OpenSSH and confirmation on macOS meaning OpenSSH doesn't have any "askpass" binary that can be launched.

Yes that's the cause. I use https://github.com/theseal/ssh-askpass to provide the ASKPASS program on macOS. It works for almost everything (git, ssh, filezilla, and possibly more). Only sshfs does not work with that.

The same problem was happening for me even by manully adding the key with ssh-add -c so it was not a KeePassXC issue. The issue was resolved for me after installing https://github.com/theseal/ssh-askpass as per @yan12125, however, I had to follow the manual install process of;

$ sudo cp ssh-askpass /usr/local/bin/
$ cp ssh-askpass.plist ~/Library/LaunchAgents/

The homebrew method did not resolve the issue.

Hi,
I encountered the same issue and it took me quite some time to find the cause.

Maybe we should add a check for the askpass installation or at least show some kind of information pop-up that askpass is required for this feature in order to work properly.

This may prevent people in the future from taking hours to troubleshoot this issue.

Thanks and regards

The same happens on my Linux (Arch+KDE) setup.
The key is correctly registered, and I can use it when the checkbox is empty. When enabling the Require user confirmation when this key is used looks like the key can not be used anymore

Confirm the issue on Arch Linux with KDE with SSH_ASKPASS set to /usr/bin/ksshaskpass, but it works with x11-ssh-askpass or when ksshaskpass executable is symlinked to /usr/lib/ssh/ssh-askpass.

Also after checking/unchecking the checkbox we have to lock-unlock database (or restart keepassxc)

I Confirm the issue on Fedora 29 on Gnome with SSH_ASKPASS set to /usr/lib/ssh/ssh-askpass.

KeepassXC Version: 2.3.4

@cl0ne so the solution is to define SSH_ASKPASS=/usr/bin/ksshaskpass ?

@cl0ne so the solution is to define SSH_ASKPASS=/usr/bin/ksshaskpass ?

Confirmation with ksshaskpass works only when I symlink ksshaskpass executable to /usr/lib/ssh/ssh-askpass.

Also after checking/unchecking the checkbox we have to lock-unlock database (or restart keepassxc)

Actually, I overlooked buttons "Add to agent" and "Remove from agent" as a faster way to apply changes in key settings.

This is still an issue on ubuntu. The solution on Ubuntu 18.04 was to disable the keyring and use the default ssh-agent.
Follow this instructions: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1812247/comments/12
To get the linked solution to work, I needed to change one line in ~/.config/autostart/ssh-agent.desktop:

Exec=/usr/bin/ssh-agent -a /run/user/1000/keyring/ssh

Now it's asking every time (when keepassxc is unlocked):

This issue still happens to me on Arch Linux, when I use sway.
When using i3, it works.
Edit: But it doesn't work with ssh-add -c, too, so I guess it's no keepassxc problem.

Ok, I'm going to close this as an upstream issue. If you keep having this on a stock distribution with their stock desktop environment, file a bug in their system to fix their implementation of SSH_ASKPASS.

Thanks everyone.