1Password asking for permission each time

verboeseverboese
Community Member
edited May 3 in SSH

When using 1Password for storing my SSH keys, it asks for authentication (here: fingerprint) each time a key is accessed. This is different from handling passwords for e. g. web forms: As long as 1Password isn't locked, I can fill the password fields.
As I very often access different machines, this annoys me already after one day ...
Is it possible to disable that behaviour?


1Password Version: 8.7.0 (80700012)
Extension Version: Not Provided
OS Version: 12.2.1 (21D62)

Comments

  • scottawscottaw
    Community Member

    Same issue here. Really love how much easier it is to setup than fighting ssh-agent, but considering I sometimes remote into my Mac from my iPad Pro to do development on my local projects, doing a git push is going to suck if I have to fire up Screens to click the 1Password permission button every time.

  • kvnvelascokvnvelasco
    Community Member

    I have observed this behavior as well. In fact, it's in direct contradiction to the documentation. This seems like a bug.

    https://developer.1password.com/docs/ssh/agent/security#authorization-model

  • kvnvelascokvnvelasco
    Community Member

    Actually after some investigation, subsequent commands within the same process do in fact not prompt for a passphrase.
    Some IDEs though cause trouble here.

    Running git fetch in an intellij IDE ends up requesting for a passphrase each time.

  • barneydesmondbarneydesmond
    Community Member

    I believe I'm seeing the same problem, but I haven't characterised it completely to know for sure yet. I use a single SSH key on my Linux workstation and use it to login to many different servers for work, and at home (I'm a sysadmin). It seems like I get asked to authenticate to 1Password for every different host I connect to, at least the first time within a desktop session or within a period of time.

    For me this is entirely unworkable and I had to disable it after 5 minutes. I don't have a fingerprint scanner or anything, so this means entering my somewhat-lengthy password for every SSH connection. It's quite common to login to a few different servers in quick succession, such as when using ansible to configure servers. It definitely needs to be a single 1Password unlock per desktop session.

  • yboulkaidyboulkaid
    Community Member
    edited March 29

    I would also like something like this, where 1Password allows all applications to access the SSH keys without a prompt.

    I already ended up disabling the auto-lock after inactivity behavior (see https://1password.community/discussion/128043/request-option-to-allow-ssh-access-when-1password-is-locked/p1?new=1), and still have to click through prompts various times per session

  • scottawscottaw
    Community Member

    I don’t think they can just leave it so you never have to authenticate again. That’s the whole reason ssh-agent isn’t as secure (I think - correct me if I’m wrong). I understand the technical specification that once 1Password locks, you’re going to have to authorize the use of the ssh keys again. I don’t think that’s out of line. I wish it would let me use my watch for that on my late 2015 iMac, but I can hold out until I can afford to replace it. For now, this works fine and I like having those keys in 1Password.

  • ag_tylerag_tyler

    Team Member

    Hey folks 👋 We've been paying attention to all of this feedback about being prompted too often and are working to improve this experience for you. We'll have more to share soon so stay tuned to the forum. If you're not yet a part of our Developer Tools Slack Workspace I would encourage you to join here as well to get the latest updates!

  • aurimasniekisaurimasniekis
    Community Member

    I recently discovered what means leaving computer on for several days, and meanwhile background apps trying to refresh some stuff using SSH auth... I had to kill 1password to stop al those dialogs... 😅

  • bryanburnsbryanburns
    Community Member

    I use SourceTree as my git client, and when the app is focused, it does a git fetch on all repos (I have roughly 50 added), which causes an auth dialog to pop up over and over, one for each repo. I would really love it if the auth status was remembered for a period of time to prevent this behavior.

  • ttyS0ttyS0
    Community Member

    I just setup up SSH keys with 1Password8 yesterday, and this morning had a stack of Allow prompts from IntelliJ that I basically had to hold the enter key down for to clear out. The first thing I did was look in the preferences for a setting, similar to the lock time setting. Not finding anything, I found my way here. I like the SSH feature, but the prompt fatigue is real, and it helps train folks to just blindly click "Allow" every time they see a 1Password prompt, or something that looks like a 1Password prompt.

  • floris_1Pfloris_1P

    Team Member

    @aurimasniekis @ttyS0 @bryanburns The issue of many consecutive prompts piling up has been fixed. Can you see if it works for you now?

    @verboese @kvnvelasco @barneydesmond We're hard at work to fix the cases where you get prompted again for every single request. To help us there it would be great if you could provide us with an SSH diagnostics report.

  • bryanburnsbryanburns
    Community Member

    Behavior looks much better now, thanks so much!

  • ag_tylerag_tyler

    Team Member

    @bryanburns That's awesome to hear!!!! Thanks for getting back to us.

  • verboeseverboese
    Community Member

    I now understand that the repeated prompts for password/fingerprint is a security feature more than a bug. The reason for this is that each terminal tab has its own process ID and that's why the authorisation for accessing the key is required again.

  • barneydesmondbarneydesmond
    Community Member

    I've had a chance to give it a try again and the behaviour looks better now, probably correct in terms of behaving as intended. That said, I don't think it's yet practical for me. Echoing verboese's comment above, I think I understand how it's working now. Within a single terminal window it works great, but not across multiple windows - it's a separate unlock for each window/process.

    Is there any chance this could become a configurable thing? I'd be quite happy for it to be an all-or-nothing situation, as I'm often using multiple SSH keys in multiple different terminals. I could probably reduce it to a single SSH key, but I'd want that key to be available to all processes once I've unlocked 1Password for the session (subject to normal lock-on-idle and lock-on-sleep behaviours).

  • hstenzelhstenzel
    Community Member

    I'm also definitely seeing much more frequent prompts than I would expect (1Password for Mac 8.7.0). It's not every time, but it is much more frequent than I would expect given the selections I've made in Preferences --> Security --> Auto-lock.

    It occurs to me that 1Password does not require that I unlock separately for each browser or browser tab, but it does require me to unlock separately for each terminal / terminal tab and that the behavior isn't configurable.

    I'm not sure if this is the intended or expected result, but it is still frustrating. Unless I can find a better workaround, I'll have to revert to using openssh agent for my most commonly used keys. Any suggestions or workarounds?

  • psagerspsagers
    Community Member
    edited May 24

    I just tried setting this up and got the prompt-every-time behavior, but I managed to isolate the (proximate) cause. More or less.

    I'm running Ubuntu 22.04 with the built-in GNOME Terminal. My login shell is the default /usr/bin/bash, but Terminal is configured to run fish from homebrew (/home/linuxbrew/.linuxbrew/bin/fish). When I run ssh from fish, the authentication prompt says that "/usr/bin/ssh" is trying to access the key. Every ssh command triggers this prompt.

    If I open a terminal window running bash, then the prompt says that "/usr/bin/bash" is the process trying to access the key. Now it establishes a session with the shell and subsequent uses are waved through. I tried adding (the full path to) fish to /etc/shells, but that didn't change anything. Interestingly, if I manually run bash from within fish, 1password again links the session to bash.

    Presumably 1Password is interrogating the process list and doing something sneaky to figure out which process should own a given session. Sounds like a hard problem and it's not too surprising that it involves some easy-to-break assumptions. If there's no way to get this right in all reasonable cases, I would certainly not object to some advanced configuration in which I can identify specific binaries that should be allowed to anchor SSH agent sessions.

    In fact, if such a thing were in place, it becomes easy to imagine designating one's terminal application itself as the anchor, if one prefers a single session across multiple tabs. Hypothetically.

  • addyaddy
    Community Member

    I am still getting the prompt on Mac on each terminal open (iTerm2 & VS Code Terminal). I am using the Beta pipeline of the 1Password and have the SSH Agent configured properly (according to the UI).

  • Marton.Soos_1PMarton.Soos_1P

    Team Member

    @barneydesmond, @hstenzel and @addy having to authorize each terminal tab/session separately is the expected behavior of the SSH agent, but we are considering adding more configuration options around the authorization prompts, so stay tuned!

  • Marton.Soos_1PMarton.Soos_1P

    Team Member

    @psagers getting a prompt every time is definitely not the intended behavior of the agent. Could you file an SSH Diagnostics Report regarding the behavior you're experiencing. This could help us investigate and possibly fix this problem.

  • psagerspsagers
    Community Member

    8.8.0~126.BETA anchors the session to fish, as expected.

  • addyaddy
    Community Member

    @Marton.Soos_1P +1 on additional config, we have microservices, so I typically have quite a few shells open at any given time.

  • Stefan_SchulteStefan_Schulte
    Community Member

    also +1 on additional config. It's fine to make a super secure default setting, as long as you let me and my teammates choose to configure it in a slightly less secure, but much more usable way.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file