op-ssh-sign to prompt for password on terminal input, rather than gui/desktop when logged in via ssh
I have a linux desktop on which I run both the 1P CLI and the desktop application.
I have SSH signing configured for git.
I often ssh into that machine from my couch in a different part of my home, but when I make a commit, my shell session hangs while an authentication prompt is shown on my desktop.
I would like op-ssh-sign
to be smart enough to just prompt me for my credentials via the terminal when I'm ssh'd in; there are a number of environment variables that can be inspected to determine that.
Is it possible to configure things like this today?
Alternatively, how can I disable the desktop prompt and make it always prompt via the terminal?
Do I uncheck the "Connect with 1Password CLI" box in the desktop app?
What I'd really love is to be able to use ssh-agent forwarding and have my local laptop's 1Password instance prompt me to confirm in this situation!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:op-ssh-sign
Comments
-
Hey @wez:
Great question and a bit of an interesting one to figure out! The short version is that
op-ssh-sign
exists to make it an easy one click install. By default, Git usesssh-keygen
to sign commits, which relies on yourSSH_AUTH_SOCK
variable. It isn't possible for us to configure this on every platform automatically, so by usingop-ssh-sign
, all that's necessary to do is change the signing command in.gitconfig
, rather than having to set environment variables.With that said, there's definitely a way to do this, but it does require a bit more setup, but with an end result of being able to sign commits from your desktop using 1Password on your desktop, but when connected to your desktop from your laptop and have SSH agent forwarding enabled, approve prompts from your laptop.
- Comment out the
gpg.program
line that refers toop-ssh-sign
in your.gitconfig
file on your desktop. - Ensure that
SSH_AUTH_SOCK
is set to point at the 1Password SSH agent socket. You'll want to configure this in your.zshrc
or other shell setup script, but it's important to only set this if you're physically in front of this device. The way I have this configured on my Mac is to check whatSSH_AUTH_SOCK
is set to, and if that value containslaunchd
, then that means the current session is a local session, at which point I setSSH_AUTH_SOCK
to the 1Password agent withexport SSH_AUTH_SOCK=~/.1password/agent.sock
. If the agent is instead contained in/tmp/ssh
that means the agent is being forwarded, in which case I don't want to overwriteSSH_AUTH_SOCK
and instead keep the agent forwarded from SSH. - At this point, when you SSH from your laptop to your desktop, all SSH operations, including Git commit signing should be using 1Password from your laptop, not your desktop.
Let me know how you get on with that, or if you run into any trouble along the way.
Jack
0 - Comment out the