SSH agent terminal password prompt?

jwarlander
jwarlander
Community Member

I've started using the 1Password SSH agent, and in my regular day-to-day work at my desktop PC it works great!

However, if I'm not in my office, I tend to do a lot of work from my laptop using the remote SSH option in VS Code, or simply SSH to the PC and then work from within that terminal session. In those cases, whenever I do eg. 'git push' or something, I get prompted for my login password.. with a GUI popup on the desktop-attached monitor, which I can't see or respond to of course.

Is there any way of working around this, so that I don't have to set up a separate non-1P SSH key for this use case?


1Password Version: 8.7.3
Extension Version: Not Provided
OS Version: Fedora 36
Browser:_ Not Provided

Comments

  • Do you have 1Password installed on your host machine? If so, then that sounds like a perfect case for SSH agent forwarding, which you can enable in your VS Code setup so you can use your local agent and rely on your local '1Password lock state' instead of the one on the remote host.

  • jwarlander
    jwarlander
    Community Member

    Thanks -- yes, I do!

    I've tried it out, and it seems to work as expected. However, it doesn't play well with the default setup recommended in the 1Password docs (eg. setting IdentityAgent for Host * in ~/.ssh/config), as then the remote host still tries to use its local 1Password agent.

    Will see if I can play around a bit with a .bashrc script to set SSH_AUTH_SOCK to the 1Password agent only for local logins, and leave it untouched for remote logins over SSH.

  • You could look for SSH_TTY which will be set in your remote shell, and if it's not set then configure SSH_AUTH_SOCK.

  • jwarlander
    jwarlander
    Community Member

    Yep, I added this section to my ~/.bashrc and disabled the IdentityAgent setting in ~/.ssh/config on both of my machines:

    # Enable 1Password SSH agent
    #
    # We do this by setting up SSH_AUTH_SOCK, but only for local sessions (SSH_TTY
    # is unset); if SSH_TTY is set, however, assume that it's a remote session, and
    # that SSH agent forwarding is active, so we should leave SSH_AUTH_SOCK alone
    #
    if [ -z "$SSH_TTY" ]; then
            export SSH_AUTH_SOCK=~/.1password/agent.sock
    fi
    

    Would be nice if this use case was covered, maybe in https://developer.1password.com/docs/ssh/agent/advanced or something?

This discussion has been closed.