1Password asking for permission each time

2»

Comments

  • scottaw
    scottaw
    Community Member
    edited December 2022

    if you have git configured to use an ssh key for signing or you do a push to GitHub or something using ssh, then yes, you'll have to approve it the first time you do a commit or a push in a vscode terminal. it also happens again after some timeout period.

    Personally I don't see the issue. Until recently I had a 2015 iMac and I had to type in the password on these occasions. I did. I did not get mad.

    Now I have an M1 Pro MBP and I can either use my watch to approve or use Touch ID to approve. I do. I do not get mad.

    The timeout period always seems reasonable to me. It doesn't require it each time, and I'm using it for ssh, for git signing, and for GitHub.

    I also haven't had any issues with Face ID on iOS using 1Password 8, but maybe I'm just lucky.

  • N33T
    N33T
    Community Member

    Hi all, the addition of asking per application is great.
    However I noticed that 1Password isn't saving this settings, every time 1P is killed (either by reboot or stopping it completely).
    I am currently running: 1Password for Linux 8.10.0 (81000009)

  • julemand
    julemand
    Community Member

    As a paying client and a fan boy, I absolutely say that we need a far easier alternative, even if it means less secure, for people sitting on Ubuntu as their main development machine. Not server. But also not a Mac laptop featuring easy fingerprint unlock.

    Imagine having to type ubuntu password 5 times just to open project in vs code, run docker and run composer install (private packages). It kills me to the point that I might just as well use the good old static file.

    I think less safe option of whitelisting or just unlocking ssh agent for all, or unlocking once with password and then simply asking yes/no to confirm would be better. It really sucks that big time.

    PS. I was on windows, but as amazing WSL 2 is, running developing natively on ubuntu just flies. And finally it unlocks the opportunity to use safer things. But not at this price where I'm actually wasting time typing the password...

    Unfortunately there are no fingerprint drivers for me.

  • Hi @sitepodmatt / @julemand:

    Thanks for your feedback on this. While I can't promise anything, we're exploring additional options.

    @N33T:

    Would you mind sharing which channel of 1Password you're using (production, beta, nightly)?

    Jack

  • N33T
    N33T
    Community Member
    edited January 2023

    Hey @Jack.P_1P, I am on the beta channel.

    I share the same sentiment as @julemand and @sitepodmatt, without a fingerprint scanner like Macs have it's quite the hassle to have to enter the password so often.

  • Hi @N33T:

    I've just double checked, and today's beta release contains a fix for the setting not persisting after 1Password is quit. After updating, let me know if you're still running into trouble.

    Jack

  • N33T
    N33T
    Community Member

    Hey @Jack.P_1P, I just updated to 1Password for Linux 8.10.0 (81000012) and the setting does persist now.
    Thanks!

    This at least saves some time entering passwords when working in tmux.

  • Hey @N33T:

    Glad to hear it!

    Jack

  • repoles
    repoles
    Community Member

    This prompt requesting my approval to access a SSH key every time I open an application is really, really, reeeeeally annoying!

  • Hi @repoles:

    We're exploring additional options here. Stay tuned!

    Jack

  • repoles
    repoles
    Community Member

    Thank you, @Jack.P_1P!

  • lilyes
    lilyes
    Community Member
    edited February 2023

    I would really appreciate an option for requiring authorization only once for all applications on Linux, combined with the already existing options for how long the authorization should be remembered.

    I usually close my terminal application(which i use for my ssh workflows) whenever im not using it, and it gets annoying having to input my password every time I do that since the current settings are not really remembered per application, but per each process.

  • mangotre
    mangotre
    Community Member

    I'm using Linux, and working with IntelliJ. I have turned on using SSH keys for signing.

    IntelliJ asks me all the time about my signing key password. In addition to that, doing git operations in my terminal asks me too.

    If I'm going to guess, I would think that I'm typing the password 10-15 times day, compared to the old fashioned way with ssh-agent and gpg keys for signing. I have decided to turn 1password ssh functionality off, because this is just too much, unfortunately.

    Hope this gets fixed, as I would like to use this feature.

  • Hi @mangotre / @lilyes:

    Thanks for your feedback on this! As I mentioned, we're exploring additional options here, but I don't have any specifics or timeline to share just yet.

    Jack

  • @barneydesmond @hstenzel @addy @Stefan_Schulte @psagers @voltboyee @yboulkaid @CRCinAU @repoles @lilyes @mangotre

    Thanks all for your patience and feedback. We've been exploring different options to allow for an authorization model that's more like the standard OpenSSH agent, and we have something for you to try out! If you're interested to take it for a spin, you can find more information in our Developer Slack workspace.

  • shoehorn42
    shoehorn42
    Community Member

    This feature is so good! Thank you for polishing it. Allowing ssh key access just by a fingerprint feels amazing.

  • carlosonunez
    carlosonunez
    Community Member

    Thank you so much for developing this feature. It is very convenient and easy to use...if you're in front of your computer.

    Unfortunately, signing Git commits or using SSH keys this way is a GIGANTIC hassle if you're connected remotely. It's basically unusable in this use case.

    I often connect to my computer at home (running the 1Password ssh-agent) from my iPad via Blink Terminal. Every time I need to sign a commit or use a password with the op CLI, I have to VNC into my computer, log in and interact with 1Password to finish the transaction.

    Sometimes git or ssh will time out waiting on me to do this, as this is very hard to do over low-bandwidth connections.

    It would be much more ideal if 1Password sent a beacon to all of my logged-in devices whenever it needed authorization to use a key or something.

  • MaKolarik
    MaKolarik
    Community Member

    First, I see there have already been some improvements since this feature was launched, so thanks for that!

    Still, I think there's a better model that would provide good access control while staying simple to use: permanent (even after 1P closing), per-application approvals.

    Implementation-wise, I imagine once an application got approved, either its path (less secure) or file hash (more secure) would be stored as trusted and not prompted again. This would allow easily restricting access only to the expected apps, without prompting too often; only after an update that changes the path/hash would the app need to be re-approved.

  • rmrz
    rmrz
    Community Member

    The idea for this feature is quite great, the implementation however is extremely annoying. After a couple of weeks trying it, I ended up disabling it. Typing my password every 5 minutes is just too much.

  • antfly
    antfly
    Community Member

    firstly I strongly agree that asking password every time is too much and on every commit even if 1password is already unlock, so I decided to disable that feature (until you improve the behaviour if you do because it seems to exist since a while now) and use the old way with ssh keys store as a file in .ssh folder.
    I was about to get crazy trying to unlink 1password from Sourcetree and cannot find any explanation about that on the web so I'm posting this here for people like me because I lost so much time to figure it out.

    Inside ~/.ssh/config remove:

    Host \*
    IdentityAgent "~/Library/Group Containers/xxx.com.1password/t/agent.sock"
    

    in ~/.gitconfig remove the signingkey and

    gpgsign = true
    
    [gpg]
    
    format = ssh
    
    [gpg "ssh"]
    
    program = /Applications/1Password.app/Contents/MacOS/op-ssh-sign
    

    You can now use SSH in the old way without 1Password.
    Hope this will help someone.