"signing failed for" after multiple denies [CLI] [SSH Key] [SSH Agent] [Terminal]

zevolution
zevolution
Community Member
edited June 2023 in SSH

Well, first of all I need say that I have a lot of SSH Keys because I'm work on multiple projects on the same time using git. So, a lot of them force-me to use SSH Key to make a pull or push of code.

Today, I had a problem when add a new SSH Key:

After call "git clone" and deny the first 3 SSH key, the 1Pass didn't show the remaining SSH Keys, and the Git CLI skip to request password(behavior when no ssh-key works)

Therefore, I went immediately in 1Pass logs to verify, and I found that the behavior is block per 15s the application if we have many attempts in a short time period, but this is a problem when we have a lot of ssh-keys and this case we want use just one of them. So it would be very powerful if we had a way as for example, chose the ssh-key in a list provided by 1Pass, because await a time for each item until I find the desired item is very very slow at the end of the day.


1Password Version: 8.10.7
Extension Version: Not Provided
OS Version: Ventura 13.3
Browser:_ Not Provided

Comments

  • Here's a docs article about using different SSH keys for different Git repos. Would that solve your use case?

  • zevolution
    zevolution
    Community Member
    edited June 2023

    Hello @floris_1P , thanks for your answer!

    Yeah, I know that way and I used to do it, but that's the reason I use 1Password SSH Agent, I don't want to go through the trouble of doing manual configurations, 1Pass Agent already does that, it just doesn't do it very well yet. There should be:

    • either a popup with all my SSH so I could choose which one to use. In this case I don't need deny keys, its just select the one I want
    • or decrease the time associated with "many denied attempts". In this case I can deny other ssh-keys until I reach the desired
  • floris_1P
    edited June 2023

    It's not likely we'll be making our prompt rate limiter more lenient at this time, so if you need separate SSH keys per repo, a Gitconfig / shell script / SSH config kind of workflow would likely be more promising at this point.

    For example, you could look into adding a small git shim that sets GIT_SSH_COMMAND based on the directory or Git repo name, e.g. using git config --get remote.origin.url or git rev-parse --show-toplevel. And then in that script use the repo name to point to a certain .pub file on disk: GIT_SSH_COMMAND="ssh -i ~/.ssh/$REPO_NAME.pub" /opt/homebrew/bin/git "$@"

    You do have to download all the public keys from 1Password to disk once. (There are ways to also automate that part if you want, but we won't promise a stable API there)

    Let me know if that helps.

  • zevolution
    zevolution
    Community Member

    Hmmm, all of that is pretty cool, but for me, it's a lot of work hahaha, sorry I'm a lazy man. So, I really prefer wait 5sec per deny until reach my key instead do this bro. I'll wait for something more practical, 1Pass is a great product who knows soon we may see something more practical related to multiple ssh keys

  • You could also consider revisiting why you even need different SSH authentication keys per repo. If they use the same Git account and the same 1Password account, there's not a lot of benefit of using different authentication keys anyway. There are no different access levels enforced per authentication key, and creating/revoking them is easy.

This discussion has been closed.