diff --git a/configs/client.nix b/configs/client.nix
index 6a7a098..730791d 100644
--- a/configs/client.nix
+++ b/configs/client.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ lib, pkgs, ... }:
 {
   imports = [
     ./common.nix
@@ -15,8 +15,7 @@
       nixd
     ];
 
-    # fix for wsl, `prefer` does not work if your SSH_ASKPASS is empty/unset
-    variables.SSH_ASKPASS_REQUIRE = if config.programs.ssh.enableAskPassword then "prefer" else "never";
+    variables.SSH_ASKPASS_REQUIRE = "prefer";
   };
 
   networking = {
@@ -30,7 +29,11 @@
 
   programs = {
     nix-ld.enable = true;
-    ssh.startAgent = true;
+    ssh = {
+      startAgent = true;
+      enableAskPassword = true;
+      askPassword = lib.mkDefault "${pkgs.curses-ssh-askpass}"; # see exprs/curses-ssh-askpass.nix
+    };
   };
 
   virtualisation.docker.enable = true;
diff --git a/exprs/curses-ssh-askpass.nix b/exprs/curses-ssh-askpass.nix
new file mode 100644
index 0000000..653500b
--- /dev/null
+++ b/exprs/curses-ssh-askpass.nix
@@ -0,0 +1,15 @@
+{
+  lib,
+  pinentry-curses,
+  writeShellScript,
+}:
+writeShellScript "curses-ssh-askpass" ''
+  if [ -z ''${1+x} ]; then
+    prompt="GETPIN"
+  else
+    prompt="SETDESC $1\nGETPIN"
+  fi
+
+  pin=$(echo -e "$prompt" | ${lib.getExe pinentry-curses} -T /dev/pts/0 | grep D | tr -d '\n')
+  echo "''${pin:2}"
+''
diff --git a/exprs/overlay.nix b/exprs/overlay.nix
index f961905..1d457c2 100644
--- a/exprs/overlay.nix
+++ b/exprs/overlay.nix
@@ -1,5 +1,6 @@
 inputs: final: prev: {
   idea-ultimate-fixed = prev.callPackage ./idea-fixed.nix { };
+  curses-ssh-askpass = prev.callPackage ./curses-ssh-askpass.nix { };
 
   vencord = prev.vencord.overrideAttrs (old: rec {
     version = "${old.version}+git.${inputs.vencord.shortRev}";