feat: unlock macOS keychain and fix fish cursor rendering#6
Open
cadl wants to merge 10 commits into
Open
Conversation
Author
|
修改前终端渲染 IMG_1292_github.mp4修改后终端渲染 IMG_1293_github.mp4 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
中文
背景
当 DSSH 连接到 macOS 时,SSH 本身可以正常认证并进入远端 shell,但 Claude Code 的登录 credential 保存在当前 macOS 用户的登录 Keychain 中。SSH 会话建立后,登录 Keychain 并不会自动解锁,因此 Claude Code 无法读取已有 credential,会认为当前没有登录,并要求用户再次手动 login。
要让 Claude Code 直接读取并复用已有登录状态,需要先在当前 SSH 用户的交互式会话中解锁登录 Keychain。本次改动让 DSSH 在连接 macOS 后自动完成 Keychain 解锁和验证,再返回正常的 shell;之后启动 Claude Code 时即可读取原有 credential,无需重复登录。
另外,在某些 shell 和终端协议组合下,DSSH 存在终端渲染问题:用户输入会一直显示在屏幕第一行,原有内容不能正确刷新,并出现显示错乱。以 fish 为例,它会在显示提示符时启用 Kitty 键盘协议并发送
CSI = 5 u;DSSH 之前将所有以u结尾的 CSI 序列都误认为“恢复光标”,导致光标回到默认位置(1,1)。本次改动修正了协议解析,并补充了终端查询响应和正确的初始 PTY 尺寸。改动内容
macos_keychain_passwordsecurity密码提示后才发送密码,并使用show-keychain-info验证解锁结果CSI = 5 u)与 ANSI 光标恢复指令实现说明
通过独立 exec channel 执行
security unlock-keychain会在 macOS 上返回User interaction is not allowed。因此 DSSH 使用当前的交互式 PTY,等待security显示密码提示后再发送密码。密码不会出现在命令参数或 shell history 中。成功后通过show-keychain-info验证解锁状态,并隐藏初始化日志。使用方式
密码会以明文保存在 SD 卡中,因此该功能默认关闭,文档中也明确标注了安全风险。
验证
bash tools/test_config.shbash tools/test_terminal.shbash tools/test_ime.sh.3dsxEnglish
Background
When DSSH connects to macOS, SSH authentication itself succeeds and the remote shell is available. However, Claude Code stores its login credential in the current macOS user's login Keychain. Establishing an SSH session does not automatically unlock that Keychain, so Claude Code cannot read the existing credential, treats the session as logged out, and asks the user to log in again manually.
To let Claude Code read and reuse its existing login state, the login Keychain must first be unlocked inside the current SSH user's interactive session. This change makes DSSH unlock and verify the Keychain after connecting to macOS, then return to the normal shell. Claude Code can subsequently read the stored credential without requiring another login.
There was also a terminal rendering issue under some shell and terminal-protocol combinations: typed input remained on the first screen row, existing content did not refresh correctly, and the display became corrupted. Fish, for example, enables the Kitty keyboard protocol at its prompt and sends
CSI = 5 u. DSSH previously interpreted every CSI sequence ending inuas cursor restore, which moved the cursor to the default position(1,1). This change corrects that protocol parsing and also adds terminal query responses and the correct initial PTY dimensions.What changed
macos_keychain_passwordsettingsecuritypassword prompt before sending the password, then verify the result withshow-keychain-infoCSI = 5 ufrom ANSI cursor restoreImplementation notes
Running
security unlock-keychainthrough a separate exec channel fails on macOS withUser interaction is not allowed. DSSH therefore uses the existing interactive PTY, waits for thesecuritypassword prompt, and only then sends the password. The password is not placed in process arguments or shell history. DSSH verifies the result withshow-keychain-infoand hides successful bootstrap diagnostics.Usage
The password is stored in plaintext on the SD card, so the setting is disabled by default and the documentation explicitly calls out the security risk.
Validation
bash tools/test_config.shbash tools/test_terminal.shbash tools/test_ime.sh.3dsx