1Password asking for permission each time

[Deleted User]
[Deleted User]
Community Member
edited May 2022 in SSH

When using 1Password for storing my SSH keys, it asks for authentication (here: fingerprint) each time a key is accessed. This is different from handling passwords for e. g. web forms: As long as 1Password isn't locked, I can fill the password fields.
As I very often access different machines, this annoys me already after one day ...
Is it possible to disable that behaviour?


1Password Version: 8.7.0 (80700012)
Extension Version: Not Provided
OS Version: 12.2.1 (21D62)

«1

Comments

  • scottaw
    scottaw
    Community Member

    Same issue here. Really love how much easier it is to setup than fighting ssh-agent, but considering I sometimes remote into my Mac from my iPad Pro to do development on my local projects, doing a git push is going to suck if I have to fire up Screens to click the 1Password permission button every time.

  • kvnvelasco
    kvnvelasco
    Community Member

    I have observed this behavior as well. In fact, it's in direct contradiction to the documentation. This seems like a bug.

    https://developer.1password.com/docs/ssh/agent/security#authorization-model

  • kvnvelasco
    kvnvelasco
    Community Member

    Actually after some investigation, subsequent commands within the same process do in fact not prompt for a passphrase.
    Some IDEs though cause trouble here.

    Running git fetch in an intellij IDE ends up requesting for a passphrase each time.

  • barneydesmond
    barneydesmond
    Community Member

    I believe I'm seeing the same problem, but I haven't characterised it completely to know for sure yet. I use a single SSH key on my Linux workstation and use it to login to many different servers for work, and at home (I'm a sysadmin). It seems like I get asked to authenticate to 1Password for every different host I connect to, at least the first time within a desktop session or within a period of time.

    For me this is entirely unworkable and I had to disable it after 5 minutes. I don't have a fingerprint scanner or anything, so this means entering my somewhat-lengthy password for every SSH connection. It's quite common to login to a few different servers in quick succession, such as when using ansible to configure servers. It definitely needs to be a single 1Password unlock per desktop session.

  • yboulkaid
    yboulkaid
    Community Member
    edited March 2022

    I would also like something like this, where 1Password allows all applications to access the SSH keys without a prompt.

    I already ended up disabling the auto-lock after inactivity behavior (see https://1password.community/discussion/128043/request-option-to-allow-ssh-access-when-1password-is-locked/p1?new=1), and still have to click through prompts various times per session

  • scottaw
    scottaw
    Community Member

    I don’t think they can just leave it so you never have to authenticate again. That’s the whole reason ssh-agent isn’t as secure (I think - correct me if I’m wrong). I understand the technical specification that once 1Password locks, you’re going to have to authorize the use of the ssh keys again. I don’t think that’s out of line. I wish it would let me use my watch for that on my late 2015 iMac, but I can hold out until I can afford to replace it. For now, this works fine and I like having those keys in 1Password.

  • Hey folks 👋 We've been paying attention to all of this feedback about being prompted too often and are working to improve this experience for you. We'll have more to share soon so stay tuned to the forum. If you're not yet a part of our Developer Tools Slack Workspace I would encourage you to join here as well to get the latest updates!

  • aurimasniekis
    aurimasniekis
    Community Member

    I recently discovered what means leaving computer on for several days, and meanwhile background apps trying to refresh some stuff using SSH auth... I had to kill 1password to stop al those dialogs... 😅

  • bryanburns
    bryanburns
    Community Member

    I use SourceTree as my git client, and when the app is focused, it does a git fetch on all repos (I have roughly 50 added), which causes an auth dialog to pop up over and over, one for each repo. I would really love it if the auth status was remembered for a period of time to prevent this behavior.

  • ttyS0
    ttyS0
    Community Member

    I just setup up SSH keys with 1Password8 yesterday, and this morning had a stack of Allow prompts from IntelliJ that I basically had to hold the enter key down for to clear out. The first thing I did was look in the preferences for a setting, similar to the lock time setting. Not finding anything, I found my way here. I like the SSH feature, but the prompt fatigue is real, and it helps train folks to just blindly click "Allow" every time they see a 1Password prompt, or something that looks like a 1Password prompt.

  • @aurimasniekis @ttyS0 @bryanburns The issue of many consecutive prompts piling up has been fixed. Can you see if it works for you now?

    @verboese @kvnvelasco @barneydesmond We're hard at work to fix the cases where you get prompted again for every single request. To help us there it would be great if you could provide us with an SSH diagnostics report.

  • bryanburns
    bryanburns
    Community Member

    Behavior looks much better now, thanks so much!

  • @bryanburns That's awesome to hear!!!! Thanks for getting back to us.

  • [Deleted User]
    [Deleted User]
    Community Member

    I now understand that the repeated prompts for password/fingerprint is a security feature more than a bug. The reason for this is that each terminal tab has its own process ID and that's why the authorisation for accessing the key is required again.

  • barneydesmond
    barneydesmond
    Community Member

    I've had a chance to give it a try again and the behaviour looks better now, probably correct in terms of behaving as intended. That said, I don't think it's yet practical for me. Echoing verboese's comment above, I think I understand how it's working now. Within a single terminal window it works great, but not across multiple windows - it's a separate unlock for each window/process.

    Is there any chance this could become a configurable thing? I'd be quite happy for it to be an all-or-nothing situation, as I'm often using multiple SSH keys in multiple different terminals. I could probably reduce it to a single SSH key, but I'd want that key to be available to all processes once I've unlocked 1Password for the session (subject to normal lock-on-idle and lock-on-sleep behaviours).

  • hstenzel
    hstenzel
    Community Member

    I'm also definitely seeing much more frequent prompts than I would expect (1Password for Mac 8.7.0). It's not every time, but it is much more frequent than I would expect given the selections I've made in Preferences --> Security --> Auto-lock.

    It occurs to me that 1Password does not require that I unlock separately for each browser or browser tab, but it does require me to unlock separately for each terminal / terminal tab and that the behavior isn't configurable.

    I'm not sure if this is the intended or expected result, but it is still frustrating. Unless I can find a better workaround, I'll have to revert to using openssh agent for my most commonly used keys. Any suggestions or workarounds?

  • psagers
    psagers
    Community Member
    edited May 2022

    I just tried setting this up and got the prompt-every-time behavior, but I managed to isolate the (proximate) cause. More or less.

    I'm running Ubuntu 22.04 with the built-in GNOME Terminal. My login shell is the default /usr/bin/bash, but Terminal is configured to run fish from homebrew (/home/linuxbrew/.linuxbrew/bin/fish). When I run ssh from fish, the authentication prompt says that "/usr/bin/ssh" is trying to access the key. Every ssh command triggers this prompt.

    If I open a terminal window running bash, then the prompt says that "/usr/bin/bash" is the process trying to access the key. Now it establishes a session with the shell and subsequent uses are waved through. I tried adding (the full path to) fish to /etc/shells, but that didn't change anything. Interestingly, if I manually run bash from within fish, 1password again links the session to bash.

    Presumably 1Password is interrogating the process list and doing something sneaky to figure out which process should own a given session. Sounds like a hard problem and it's not too surprising that it involves some easy-to-break assumptions. If there's no way to get this right in all reasonable cases, I would certainly not object to some advanced configuration in which I can identify specific binaries that should be allowed to anchor SSH agent sessions.

    In fact, if such a thing were in place, it becomes easy to imagine designating one's terminal application itself as the anchor, if one prefers a single session across multiple tabs. Hypothetically.

  • addy
    addy
    Community Member

    I am still getting the prompt on Mac on each terminal open (iTerm2 & VS Code Terminal). I am using the Beta pipeline of the 1Password and have the SSH Agent configured properly (according to the UI).

  • @barneydesmond, @hstenzel and @addy having to authorize each terminal tab/session separately is the expected behavior of the SSH agent, but we are considering adding more configuration options around the authorization prompts, so stay tuned!

  • @psagers getting a prompt every time is definitely not the intended behavior of the agent. Could you file an SSH Diagnostics Report regarding the behavior you're experiencing. This could help us investigate and possibly fix this problem.

  • psagers
    psagers
    Community Member

    8.8.0~126.BETA anchors the session to fish, as expected.

  • addy
    addy
    Community Member

    @Marton.Soos_1P +1 on additional config, we have microservices, so I typically have quite a few shells open at any given time.

  • Stefan_Schulte
    Stefan_Schulte
    Community Member

    also +1 on additional config. It's fine to make a super secure default setting, as long as you let me and my teammates choose to configure it in a slightly less secure, but much more usable way.

  • voltboyee
    voltboyee
    Community Member

    Using the SSH agent with GitKraken or VSCode on Windows is currently unusably annoying. Prompts every time it does a pull or fetch. I have tried updating 1Password to the latest beta build and the result is the same.

  • @voltboyee Which version of git do you have installed? You should have git 2.33 or above for prompting to work well on windows

  • @barneydesmond @yboulkaid @verboese @hstenzel @addy @Stefan_Schulte In the latest beta, you can now configure the SSH agent authorization model to not prompt for each terminal tab, but only once per application. Let me know if that improves things for you!

  • hstenzel
    hstenzel
    Community Member

    @floris_1P what else can you say about this?

    Is it once forever, or is it once per configurable period?

    At the end of the day, I'm really looking for usage semantics similar to openssh's ssh-agent: if the key is in 1Password and 1Password is unlocked, then I can ssh with public key authentication transparently. I understand the tradeoffs associated with this decision, but if 1Password is unlocked and an attacker has access to my device, they can already steal my key. Why is the model for ssh keys accessed by agent different than the model for secrets accessed by the op command line or the gui?

    Thanks, I'm looking forward to trying this enhancement.

  • yboulkaid
    yboulkaid
    Community Member

    @floris_1P thanks for getting back to us. I gave the feature a try by configuring to be as permissive as possible (ask for approval once per new application + remember until 1Password quits), and the experience is much better than before. After having clicked through the prompt a couple times (once per application), I don't get any prompts during my regular workflow.

    I would still prefer to have the permission be global for all applications. This would mimic the ssh-agent behavior and be more "transparent", as @hstenzel mentioned.

    To me the value provided by the 1Password SSH integration is more about the key storage than about auditing key access. Which is why I would like to have as few prompts as possible.

  • CRCinAU
    CRCinAU
    Community Member

    Yeah - I'm coming from KeepassXC - where the SSH Agent doesn't prompt me at all (which I prefer) as long as the keychain is unlocked.

    Given that I have background sync processes, backups, ssh sessions etc etc etc, getting prompted every 5 minutes is a royal pain in the butt.

  • BlackMagic
    BlackMagic
    Community Member

    I have enabled "Remember key approval: until 1Password quits" and "Ask approval for each new: application" and yet it still expires every time, and I have to re-authorize the agent when VSCode runs a background git pull.