What is the best way to keep the SSH agent responding to background requests?
I've got the SSH agent set up, asking for approval for each new application, remembering approval for 24 hours.
I have the 1Password agent set up as an IdentityAgent in ~/.ssh/config, and the GitHub-specific public key set up with IdentityFile.
I have PyCharm doing auto fetch. Despite approving keys for 24 hours, I get errors:
sign_and_send_pubkey: signing failed for ED25519 "/Users/xxx/.ssh/id_ed25519.pub" from agent: agent refused operation git@xxxx.xxxx.com: Permission denied (publickey). Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
I also get repeatedly asked to unlock 1Password for no apparent reason; I suspect it's because of something SSH-related going on in the background.
Ideally, I'd like to use 1Password as an SSH agent, and just have it accept everything I approve indefinitely, or for at least the time period requested. How do I do that?
1Password Version: 8.10.7
Extension Version: n/a
OS Version: macOS 12.6.5
Browser:_ n/a
Comments
-
Yes, it's definitely the background auto-fetch in the IDE, and this is the dialog I'm getting...nothing about an SSH key.
By the way, I'm using the nightly build of 1Password to see if perhaps the problem had been fixed, but it was already happening with the regular release.
0 -
Are those background requests using the same SSH key? The approval happens on a per-key basis.
0 -
Yes, they're using the same key, and the key for the GitHub repos are set up with IdentityFile.
1Password doesn't really ask for approval; in this case, the keys are still within the "Remember key approval" interval. It just asks to unlock, and then the process continues without the approval screen, if I recall correctly.
0 -
Good to clarify: the SSH private key is still tied to the 1Password "lock state", so locking 1Password means that there's no more private key available until you unlock, even if the 24h setting is used. The 24h setting will only persist the fact that you approved an app. But the first SSH request you make after 1Password locks would still require a regular unlock, "resuming" all previous approvals from the last 24h with a single unlock prompt.
I also get repeatedly asked to unlock 1Password for no apparent reason; I suspect it's because of something SSH-related going on in the background.
Also good to note: the regular unlock prompt does not support background suppressing yet, so for better autofetch behavior, you may want to consider switching the "for 24 hours" setting back to "until 1Password locks". This way, you'll always get the SSH authorization prompt, which supports background suppressing and better attribution to the source of the request.
We're looking into also adding similar behavior to the regular unlock prompt for a better experience around Git autofetch + the 24h setting.
0 -
Okay, I just increased the 1Password idle lock timing (if I wasn't at home, I'd lock my computer when I walk away anyway), and changed the key approval to "until 1Password locks". I'll see how that goes; at least it should be more obvious what's going on.
Good to clarify: the SSH private key is still tied to the 1Password "lock state", so locking 1Password means that there's no more private key available until you unlock...
Since "remember key approval" has "until 1Password locks" as an option, it's easy to think that the other options override the lock state of 1Password, allowing SSH access by time rather than by 1Password lock state. Please consider this a feature request for an option to allow SSH key approval to be by time rather than by lock state. It'd be really nice to be able to use 1Password more or less like a traditional SSH agent, just with more secure key store.
Thanks for the help!
0
