diff --git a/pkgs/clan-cli/clan_lib/machines/update.py b/pkgs/clan-cli/clan_lib/machines/update.py
index 62cd98c75..c112e9739 100644
--- a/pkgs/clan-cli/clan_lib/machines/update.py
+++ b/pkgs/clan-cli/clan_lib/machines/update.py
@@ -167,7 +167,11 @@ def run_machine_deploy(
         if become_root:
             host = sudo_host
 
-        remote_env = host.nix_ssh_env(control_master=False)
+        # Disable SSH_ASKPASS when using a build host (headless machines)
+        use_ssh_askpass = build_host is None
+        remote_env = host.nix_ssh_env(
+            control_master=False, use_ssh_askpass=use_ssh_askpass
+        )
         ret = host.run(
             switch_cmd,
             RunOpts(
diff --git a/pkgs/clan-cli/clan_lib/ssh/remote.py b/pkgs/clan-cli/clan_lib/ssh/remote.py
index f0e6dbae0..e222a9cc9 100644
--- a/pkgs/clan-cli/clan_lib/ssh/remote.py
+++ b/pkgs/clan-cli/clan_lib/ssh/remote.py
@@ -296,13 +296,14 @@ class Remote:
         self,
         env: dict[str, str] | None = None,
         control_master: bool = True,
+        use_ssh_askpass: bool = True,
     ) -> dict[str, str]:
         """Return environment variables for nix commands that use SSH."""
         if env is None:
             env = {}
         env["NIX_SSHOPTS"] = " ".join(self.ssh_cmd_opts(control_master=control_master))
         # Set SSH_ASKPASS environment variable if not using password directly
-        if not self.password:
+        if not self.password and use_ssh_askpass:
             env["SSH_ASKPASS"] = SSH_ASKPASS_PATH
             env["SSH_ASKPASS_REQUIRE"] = "force"
         return env