1Password asking for permission each time

I am still getting the prompt on Mac on each terminal open (iTerm2 & VS Code Terminal). I am using the Beta pipeline of the 1Password and have the SSH Agent configured properly (according to the UI).

I just tried setting this up and got the prompt-every-time behavior, but I managed to isolate the (proximate) cause. More or less.

I'm running Ubuntu 22.04 with the built-in GNOME Terminal. My login shell is the default /usr/bin/bash, but Terminal is configured to run fish from homebrew (/home/linuxbrew/.linuxbrew/bin/fish). When I run ssh from fish, the authentication prompt says that "/usr/bin/ssh" is trying to access the key. Every ssh command triggers this prompt.

If I open a terminal window running bash, then the prompt says that "/usr/bin/bash" is the process trying to access the key. Now it establishes a session with the shell and subsequent uses are waved through. I tried adding (the full path to) fish to /etc/shells, but that didn't change anything. Interestingly, if I manually run bash from within fish, 1password again links the session to bash.

Presumably 1Password is interrogating the process list and doing something sneaky to figure out which process should own a given session. Sounds like a hard problem and it's not too surprising that it involves some easy-to-break assumptions. If there's no way to get this right in all reasonable cases, I would certainly not object to some advanced configuration in which I can identify specific binaries that should be allowed to anchor SSH agent sessions.

In fact, if such a thing were in place, it becomes easy to imagine designating one's terminal application itself as the anchor, if one prefers a single session across multiple tabs. Hypothetically.

I'm also definitely seeing much more frequent prompts than I would expect (1Password for Mac 8.7.0). It's not every time, but it is much more frequent than I would expect given the selections I've made in Preferences --> Security --> Auto-lock.

It occurs to me that 1Password does not require that I unlock separately for each browser or browser tab, but it does require me to unlock separately for each terminal / terminal tab and that the behavior isn't configurable.

I'm not sure if this is the intended or expected result, but it is still frustrating. Unless I can find a better workaround, I'll have to revert to using openssh agent for my most commonly used keys. Any suggestions or workarounds?

I've had a chance to give it a try again and the behaviour looks better now, probably correct in terms of behaving as intended. That said, I don't think it's yet practical for me. Echoing verboese's comment above, I think I understand how it's working now. Within a single terminal window it works great, but not across multiple windows - it's a separate unlock for each window/process.

Is there any chance this could become a configurable thing? I'd be quite happy for it to be an all-or-nothing situation, as I'm often using multiple SSH keys in multiple different terminals. I could probably reduce it to a single SSH key, but I'd want that key to be available to all processes once I've unlocked 1Password for the session (subject to normal lock-on-idle and lock-on-sleep behaviours).

I now understand that the repeated prompts for password/fingerprint is a security feature more than a bug. The reason for this is that each terminal tab has its own process ID and that's why the authorisation for accessing the key is required again.

@bryanburns That's awesome to hear!!!! Thanks for getting back to us.

Behavior looks much better now, thanks so much!

@aurimasniekis @ttyS0 @bryanburns The issue of many consecutive prompts piling up has been fixed. Can you see if it works for you now?

@verboese @kvnvelasco barneydesmond We're hard at work to fix the cases where you get prompted again for every single request. To help us there it would be great if you could provide us with an SSH diagnostics report.

I just setup up SSH keys with 1Password8 yesterday, and this morning had a stack of Allow prompts from IntelliJ that I basically had to hold the enter key down for to clear out. The first thing I did was look in the preferences for a setting, similar to the lock time setting. Not finding anything, I found my way here. I like the SSH feature, but the prompt fatigue is real, and it helps train folks to just blindly click "Allow" every time they see a 1Password prompt, or something that looks like a 1Password prompt.

I use SourceTree as my git client, and when the app is focused, it does a git fetch on all repos (I have roughly 50 added), which causes an auth dialog to pop up over and over, one for each repo. I would really love it if the auth status was remembered for a period of time to prevent this behavior.