Windows SSH Agent without Windows Hello?
Hi!
I was very excited to try the new SSH tooling built into 1Password 8 Beta for Windows. However, I do not have Windows Hello on my desktop which sounds like a requirement to use the 1Password SSH agent on Windows (see green TIP here https://developer.1password.com/docs/ssh/get-started#step-3-turn-on-the-1password-ssh-agent).
Is there any way around this? Or are there plans for an alternative here? I don't mind entering my master password every time I need to SSH as an alternative. I'd really like to use the SSH agent :)
1Password Version: 8.6.0
Extension Version: Not Provided
OS Version: Windows 11 Pro
Comments
-
Yes, it's currently a requirement, but we will be adding support for entering your account password as well in the future.
0 -
The password options is really necessary. My company, for example, does not allow the usage of "Windows Hello".
0 -
It was not an easy decision to make, so we can assure you that this is high on our list.
Our of curiosity, what's the main reason your company doesn't allow Windows Hello?
0 -
The main reason is legal hostility belonging to the German GPDR (DSGVO).
0 -
@mrbscreen, thanks for giving us additional context there. That definitely helps us prioritize this!
0 -
My company (worldwide, > 100000 employees) also disabled Windows Hello for reasons unknown to me, at least for the machines located in Germany. Since regular ssh agents ask for the key password once at loading time, then never again, I would like a similar behavior in 1Password as option. Just be able to disable any prompt and just serve the key if it is requested by some ssh client.
I understand asking for Windows hello unlock is a security measure to make me aware that a ssh key is actually requested, and to detect unexpected requests, but this is not standard behavior of ssh agents.
0 -
Hello, I've seen this conversation and I'm curious what is the status of this request?
My company dosn't allow Windows Hello because of legal reasons (GPDR)
Would be great if this request could get the highest priority.0 -
@sb22hh Removing the requirement of Windows Hello is something we're actively working on. Stay tuned!
0 -
I'm wondering whether the use of windows hello is a technical requirement or just convenience for you?
I mean, could the 1password app not prompt for the use of an SSH key itself? Without asking for a password at all, if the app is already unlocked.
0 -
@chris.db_1p
Thanks for this good news!
I just wanted to add that in my organization (including branches in Germany) Windows Hello is also prohibited, but access is allowed using security keys like Yubikey.
Perhaps this could be an alternative to windows hello too?0 -
This content has been removed.
-
My organization also disables Windows Hello. I would love for the ssh keys to seamlessly work on my workstation without Windows Hello
0 -
Hi @tomstock / @sitepodmatt / @Mentat / @uncaught:
Thanks for your feedback on this. As my colleague Chris mentioned, we're actively working on this, but I don't have anything to share just yet. Keep an eye out.
Jack
0 -
+1 here, not using Windows Hello as... I am on a desktop... without fingerprint reader... without IR webcam... I do have a PIN however configured with Windows Hello, but it seems this use case is not supported either!
0 -
@Jack.P_1P Thanks for the information, I definitively missed that one.
But I am still on that boat for my work machine as, just as the others, my employer does not allow any form of Windows Hello...0 -
Hey, would it be a option to also allow a more frequent reauth via password when using windows hello? Currently the minimum is 2 Weeks, why is that? I would like to use Win Hello but want to reauth via password once a day and after each reboot.
Specially when traveling, having Windows hello enabled is a huge security risk because compared to a password it can relatively easy breached/enforced.
Thanks
0 -
I would also be interested in being able to shorten the password interval as a stopgap until this feature is available. I'm not going to be able to memorize my password if I only use it once every two weeks, and I'd like to be able to get to the point that I can destroy the piece of paper I've written it on.
0 -
@BorkforceOne @mrbscreen @Tertius3 @sb22hh @uncaught @Mentat @tomstock @Guidome @solarizde @colinphill
Thanks all for your patience and feedback. We've been working on removing the Windows Hello requirement for SSH and have a solution that we'll be launching soon! You can already try it out today if you're interested to take it for a spin. You can find more information in our Developer Slack workspace.
0 -
Hi @floris_1P,
thank you very much for sharing this.
I have tested it and as far as I can say, this works like a charm. :-)The only thing that could be improved indeed is, if 1password is already unlocked, the entering of the password should not be necessary.
Confirmation is ok, but entering the password again, takes a lot of time.0 -
Any news on when this will be released?
0 -
Fair enough, I was following the learn more link in the 'Developer' tab - which still lists it as a requirement (https://developer.1password.com/docs/ssh/agent/?utm_medium=organic&utm_source=oph&utm_campaign=windows)
In that case, any idea why the option 'Set Up SSH Agent...' is greyed out? Both options SSH Agent and CLI are greyed out for me.
0 -
What I'm seeing is
0 -
Hi @floris_1P - 8.10.3 ... seems pretty out of date, I'll get that fixed and let you know if that resolves my issue.
0