"signing failed for" after multiple denies [CLI] [SSH Key] [SSH Agent] [Terminal]

Options
zevolution
zevolution
Community Member
edited June 2023 in SSH

Well, first of all I need say that I have a lot of SSH Keys because I'm work on multiple projects on the same time using git. So, a lot of them force-me to use SSH Key to make a pull or push of code.

Today, I had a problem when add a new SSH Key:

After call "git clone" and deny the first 3 SSH key, the 1Pass didn't show the remaining SSH Keys, and the Git CLI skip to request password(behavior when no ssh-key works)

Therefore, I went immediately in 1Pass logs to verify, and I found that the behavior is block per 15s the application if we have many attempts in a short time period, but this is a problem when we have a lot of ssh-keys and this case we want use just one of them. So it would be very powerful if we had a way as for example, chose the ssh-key in a list provided by 1Pass, because await a time for each item until I find the desired item is very very slow at the end of the day.

1Password Version: 8.10.7
Extension Version: Not Provided
OS Version: Ventura 13.3
Browser:_ Not Provided

Comments

  • floris_1P
    floris_1P
    Options

    Here's a docs article about using different SSH keys for different Git repos. Would that solve your use case?

  • zevolution
    zevolution
    Community Member
    edited June 2023
    Options

    Hello @floris_1P , thanks for your answer!

    Yeah, I know that way and I used to do it, but that's the reason I use 1Password SSH Agent, I don't want to go through the trouble of doing manual configurations, 1Pass Agent already does that, it just doesn't do it very well yet. There should be:

    • either a popup with all my SSH so I could choose which one to use. In this case I don't need deny keys, its just select the one I want
    • or decrease the time associated with "many denied attempts". In this case I can deny other ssh-keys until I reach the desired
  • floris_1P
    floris_1P
    edited June 2023
    Options

    It's not likely we'll be making our prompt rate limiter more lenient at this time, so if you need separate SSH keys per repo, a Gitconfig / shell script / SSH config kind of workflow would likely be more promising at this point.

    For example, you could look into adding a small git shim that sets GIT_SSH_COMMAND based on the directory or Git repo name, e.g. using git config --get remote.origin.url or git rev-parse --show-toplevel. And then in that script use the repo name to point to a certain .pub file on disk: GIT_SSH_COMMAND="ssh -i ~/.ssh/$REPO_NAME.pub" /opt/homebrew/bin/git "$@"

    You do have to download all the public keys from 1Password to disk once. (There are ways to also automate that part if you want, but we won't promise a stable API there)

    Let me know if that helps.

  • zevolution
    zevolution
    Community Member
    Options

    Hmmm, all of that is pretty cool, but for me, it's a lot of work hahaha, sorry I'm a lazy man. So, I really prefer wait 5sec per deny until reach my key instead do this bro. I'll wait for something more practical, 1Pass is a great product who knows soon we may see something more practical related to multiple ssh keys

  • floris_1P
    floris_1P
    Options

    You could also consider revisiting why you even need different SSH authentication keys per repo. If they use the same Git account and the same 1Password account, there's not a lot of benefit of using different authentication keys anyway. There are no different access levels enforced per authentication key, and creating/revoking them is easy.

This discussion has been closed.