SSH agent doesn't gracefully handle Apple Watch sleep mode

turingmachine

In the following scenario:

• Biometric auth is enabled
• I'm using the 1Password ssh agent
• My Apple Watch is asleep because I'm up too late

Instead of gracefully falling back to asking for my account password, the SSH agent auth prompt fails and returns an error to SSH, which surfaces as:

sign_and_send_pubkey: signing failed for RSA "<key_name>" from agent: agent refused operation

Sorry if this has been raised before, I spot checked a few "agent refused" questions and they seemed to be due to other issues.

---

1Password Version: 80700098
Extension Version: N/A
OS Version: macOS 12.3.1

floris_1P

Do you see anything appear in the 1Password logs when you invoke an SSH command while your watch is asleep? On macOS: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

EarthAura

Same issue. It's quite easy to reproduce (although I don't know if these are the exact steps for turingmachine):

1. Both Apple Watch and Touch ID are enabled
2. Put Watch in Sleep mode
3. Open a new terminal window
4. SSH, when presented with the Touch ID dialogue, use the wrong finger until Touch ID
5. Repeat 4 until all Touch ID attempts are depleted
6. Now try SSH, it will notice Touch ID is no longer available, but it does think Apple Watch is available (even though it's in Sleep)
7. The prompt "Approve with Watch to allow this." is shown, but quickly dismissed (by itself) and the error reported by OP is printed (each time the Watch vibrates and unlocks, but that's it)
8. Lock Mac and unlock with password (Your password is required to re-enable Touch ID)
9. SSH, Says "Touch ID or enter your password to allow this." (no longer prompting Watch?)
10. Use Touch ID or password
11. Try to SSH in a new session, only gives you option of "Touch ID now"
12. Goto 3

There's also an annoying issue present in all of the above steps when SSH:ing. The Apple Watch will unlock & vibrate every time, but the option to approve is not present because it's in Sleep mode.

I also think the UI is inconsistent. Why is it not possible to approve via password, even as a fallback? Only in that one specific step? For me, my fingerprints are very bad, they essentially change by the minute so I can't reliably use Touch ID. It'd be nice to have a fallback when my Watch is in Sleep mode, but in most steps it's impossible to reach "enter password" stage.

Here are the logs from 7, although they're not very useful:

ERROR 2022-05-15T23:23:45.195 tokio-runtime-worker(ThreadId(189)) [1P:foundation/op-system-auth/src/apple.rs:135] Biometric unlock failed, system response: AuthenticationFailed
ERROR 2022-05-15T23:23:45.196 tokio-runtime-worker(ThreadId(7)) [1P:op-automated-unlock/src/lib.rs:294] Failed to authorize using system biometry: FailedToUnlockWithKeys(FailedSystemAuthenticationChallenge)
INFO  2022-05-15T23:23:45.196 tokio-runtime-worker(ThreadId(7)) [1P:ssh/op-ssh-agent/src/lib.rs:388] Session was not authorized

Ryan Parman

Samesies.

dr42

Same here, commenting to follow.

EarthAura

@floris_1P any updates on this? Have you managed to reproduce it or do you still need something from us? An acknowledgement would be nice. It's a fairly annoying issue to have the Apple Watch wake up, make an unlock sound and vibrate all the time even when it's unactionable.

floris_1P

We haven't been able to reproduce this yet, but we're currently doing a bunch of improvements on the prompts including the fallback mechanism. We'll soon have something to try out for this in our Slack workspace, if you're interested.

floris_1P

Update: We have made a significant update to the prompts, which should fix automatically refused SSH requests.