pass ssh - Modified Version for Mac

pass-ssh-mac is a version of pass ssh that is compatible with MacOS.

The only differences from the original (which is compatible with ArchLinux) is the Makefile and the ssh.bash script.

Fzf is required for this version to work.

To install:

git clone
cd pass-ssh-mac
sudo make install  # No need for PREFIX=/usr/local

NOTE: For what it's worth, one can modify ssh.bash on line 117 to use gfind from findutils on homebrew if they prefer that over awk.

ssh_key=$(gfind "$ssh_dir" -name '*.pub' -printf '%P\n' \
ssh_key=$(find "$ssh_dir" -name '*.pub' | awk -F/ '{print $NF}' \

Original: ibizaman:

pass ssh 0.2 build status

A pass extension that creates ssh keys with an automatically generated passphrases stored in pass and outputs the public key using fzf or rofi.

Use case

The examples suppose you use the xclip clipboard manager:

Create a new ssh key

Run pass ssh, this will show all existing keys under ~/.ssh. Create a new one by entering the name of a key that does not exist, for example mynewkey. pass ssh will then generate a new password for it in the password store under /sshkey-passphrase/mynewkey and use that passphrase as the ssh key's passphrase. Finally, pass ssh will output the ssh key's public key on stdout.

Use the new ssh key

Connect to a host using the ssh key, for example ssh -i ~/.ssh/mynewkey myhost. ssh will then ask for a passphrase, the one stored in the password store at /sshkey-passphrase/mynewkey. You can then simply copy the passphrase with pass --clip /sshkey-passphrase/mynewkey and copy paste it to the ssh passphrase prompt.


pass ssh [--help,-h]
    [--fzf,-f]|[--rofi,-r] [--ssh-dir <s>,-d <s>]
    [--pass-prefix <s>,-p <s>] [--passphrase-no-symbols,-n] [--passphrase-length <s>,-l <s>]
    [--ssh-t <s>] [--ssh-b <s>]

pass-ssh provides an interactive solution to create ssh private and public keypairs with passphrases stored in pass as well as write the public key to stdout. It will show all available ssh keys in either fzf or rofi, wait for the user to select one and write the public key to stdout.

The user can select fzf or rofi by giving either --fzf or --rofi. By default, rofi will be selected and pass-ssh will fallback to fzf.

If the selected key file does not exist under the directory given by --ssh-dir, first a passphrase will be generated in pass under the prefix given by --pass-prefix. Specific passphrase length can be given using --passphrase-length and no symbols can be activated with --passphrase-no-symbols. Second, a new private and public keypair will be generated with the aforementioned passphrase and with ssh-keygen's -t and -b option given respectively by --ssh-t and --ssh-b. Lastly, the public key is written to stdout.

If the selected key exists, the public key is simply written to stdout.




pacaur -S pass-ssh

Other linuxes

git clone
cd pass-ssh
sudo make install



Feedback, contributors, pull requests are all very welcome.

Bump version

Update changelog and go to aur/ and update pkgver. Then add a git tag. Finally, run make aur and make aur-push.


Thanks to roddhjav for creating pass-update from which this script is heavily inspired.


Copyright (C) 2017  Pierre PENNINCKX

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <>.