Bug: SSH agent cannot be used when connected via Remote Desktop

outadoc
outadoc
Community Member
edited April 2022 in SSH

I'm using the 1Password 8 Windows beta with the SSH agent enabled and configured with a couple SSH keys. When functioning normally, 1Password asks for a Windows Hello PIN to unlock my SSH keys, and everything works fine.

However, when connected to my PC via Microsoft Remote Desktop (with the official client on macOS, if that makes a difference), I cannot unlock my SSH key. 1Password asks for my master password, which I provide, but the SSH agent refuses the operation.

With git, for example:

sign_and_send_pubkey: signing failed: agent refused operation
sign_and_send_pubkey: signing failed: agent refused operation
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: Windows 11 build 21H2

Comments

  • floris_1P
    edited April 2022

    Do you see anything appear in the 1Password logs when you run the failing SSH command? On Windows: %LOCALAPPDATA%/1Password/logs.

    And when using RDP, does the regular 1Password unlock work with Windows Hello? Or is it only SSH that's failing?

  • outadoc
    outadoc
    Community Member

    Hi,

    I believe these log lines are relevant:

    ERROR 2022-04-16T21:27:33.605 op_executor:invocation_loop(ThreadId(22)) [1P:C:\builds\dev\core\core\op-ui\src\item_action\mod.rs:106] ItemWithIdNotFound(ItemId(743))
    INFO  2022-04-16T21:27:34.149 tokio-runtime-worker(ThreadId(12)) [1P:op-app\src\app\backend\unlock.rs:241] System unlock was attempted but we cannot use it.
    WARN  2022-04-16T21:27:34.155 tokio-runtime-worker(ThreadId(10)) [1P:op-app\src\app\backend\lock_screen.rs:71] Biometry is unavailable: BiometryUnavailable
    

    And when using RDP, does the regular 1Password unlock work with Windows Hello? Or is it only SSH that's failing?

    When using RDP, I cannot unlock 1Password with Windows Hello either, but it falls back to asking for my master password. When using SSH, there's no password fallback, just an error, which makes my keys unusable.

  • Unfortunately there's nothing we can do about this at this very moment moment. However, we are working on an alternative prompt that doesn't require Windows Hello, which can also be used here.

  • outadoc
    outadoc
    Community Member

    Great, thank you!

    I forgot to mention it but when using an SSH key on macOS, when Touch ID is unavailable (i.e. when the laptop lid is closed), 1Password properly prompts for the master password instead. These two flows seem like they should be identical.

  • Correct, on macOS there is already a fallback in place (which will be improved as well with the work we're doing for Windows and Linux).

  • mxk
    mxk
    Community Member

    Is there an update on when the fallback will be implemented for Windows? Would that also remove the requirement for having Windows Hello enabled at all?

  • @mxk I can't make any promises on timelines, but I can tell you that it's high on our list, with designs being finalized at the moment. And yes: that will fully remove the Hello requirement!

  • enlightenedluke
    enlightenedluke
    Community Member

    @floris_1P do we have a better timeline for this now? Just ran into this myself and will have to work around it by having private keys outside my vault for the time being.

  • @enlightenedluke No updates on the timeline, but we have reached the implementation phase. We'll eventually do an early access with our Slack workspace, which you can join here if you're interested.

  • kramarb
    kramarb
    Community Member

    @enlightenedluke Is there any news regarding this issue?

  • Hi @kramarb:

    Nothing to share just yet. Keep an eye out! As my colleague Floris mentioned, we'll do an early access in our Developers Slack workspace, so joining that [here[(https://join.slack.com/t/1password-devs/shared_invite/zt-15k6lhima-GRb5Ga~fo7mjS9xPzDaF2A) would be the best way to stay up to date.

    Jack

  • @outadoc @mxk @enlightenedluke @kramarb You can now use the SSH agent in an RDP session. The Windows Hello requirement has been lifted.

  • kramarb
    kramarb
    Community Member

    Great news, thanks for the information!

  • outadoc
    outadoc
    Community Member

    @floris_1P Can confirm it's working! Thank you.

This discussion has been closed.