op-ssh-sign to prompt for password on terminal input, rather than gui/desktop when logged in via ssh

wez

I have a linux desktop on which I run both the 1P CLI and the desktop application.
I have SSH signing configured for git.
I often ssh into that machine from my couch in a different part of my home, but when I make a commit, my shell session hangs while an authentication prompt is shown on my desktop.

I would like op-ssh-sign to be smart enough to just prompt me for my credentials via the terminal when I'm ssh'd in; there are a number of environment variables that can be inspected to determine that.

Is it possible to configure things like this today?
Alternatively, how can I disable the desktop prompt and make it always prompt via the terminal?
Do I uncheck the "Connect with 1Password CLI" box in the desktop app?

What I'd really love is to be able to use ssh-agent forwarding and have my local laptop's 1Password instance prompt me to confirm in this situation!

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:op-ssh-sign

Jack.P_1P

Hey @wez:

Great question and a bit of an interesting one to figure out! The short version is that op-ssh-sign exists to make it an easy one click install. By default, Git uses ssh-keygen to sign commits, which relies on your SSH_AUTH_SOCK variable. It isn't possible for us to configure this on every platform automatically, so by using op-ssh-sign, all that's necessary to do is change the signing command in .gitconfig, rather than having to set environment variables.

With that said, there's definitely a way to do this, but it does require a bit more setup, but with an end result of being able to sign commits from your desktop using 1Password on your desktop, but when connected to your desktop from your laptop and have SSH agent forwarding enabled, approve prompts from your laptop.

1. Comment out the gpg.program line that refers to op-ssh-sign in your .gitconfig file on your desktop.
2. Ensure that SSH_AUTH_SOCK is set to point at the 1Password SSH agent socket. You'll want to configure this in your .zshrc or other shell setup script, but it's important to only set this if you're physically in front of this device. The way I have this configured on my Mac is to check what SSH_AUTH_SOCK is set to, and if that value contains launchd, then that means the current session is a local session, at which point I set SSH_AUTH_SOCK to the 1Password agent with export SSH_AUTH_SOCK=~/.1password/agent.sock. If the agent is instead contained in /tmp/ssh that means the agent is being forwarded, in which case I don't want to overwrite SSH_AUTH_SOCK and instead keep the agent forwarded from SSH.
3. At this point, when you SSH from your laptop to your desktop, all SSH operations, including Git commit signing should be using 1Password from your laptop, not your desktop.

Let me know how you get on with that, or if you run into any trouble along the way.

Jack