When using 1Password for storing my SSH keys, it asks for authentication (here: fingerprint) each time a key is accessed. This is different from handling passwords for e. g. web forms: As long as 1Password isn't locked, I can fill the password fields. As I very often access different machines, this annoys me already after one day ... Is it possible to disable that behaviour? 1Password Version: 8.7.0 (80700012) Extension Version: Not Provided OS Version: 12.2.1 (21D62)

firstly I strongly agree that asking password every time is too much and on every commit even if 1password is already unlock, so I decided to disable that feature (until you improve the behaviour if you do because it seems to exist since a while now) and use the old way with ssh keys store as a file in .ssh folder. I was about to get crazy trying to unlink 1password from Sourcetree and cannot find any explanation about that on the web so I'm posting this here for people like me because I lost so much time to figure it out. Inside ~/.ssh/config remove: Host \* IdentityAgent "~/Library/Group Containers/xxx.com.1password/t/agent.sock" in ~/.gitconfig remove the signingkey and ``` gpgsign = true [gpg] format = ssh [gpg "ssh"] program = /Applications/1Password.app/Contents/MacOS/op-ssh-sign ``` You can now use SSH in the old way without 1Password. Hope this will help someone.

The idea for this feature is quite great, the implementation however is extremely annoying. After a couple of weeks trying it, I ended up disabling it. Typing my password every 5 minutes is just too much.

Same issue here. Really love how much easier it is to setup than fighting ssh-agent, but considering I sometimes remote into my Mac from my iPad Pro to do development on my local projects, doing a git push is going to suck if I have to fire up Screens to click the 1Password permission button every time.

I have observed this behavior as well. In fact, it's in direct contradiction to the documentation. This seems like a bug. https://developer.1password.com/docs/ssh/agent/security#authorization-model

Actually after some investigation, subsequent commands within the same process do in fact not prompt for a passphrase. Some IDEs though cause trouble here. Running git fetch in an intellij IDE ends up requesting for a passphrase each time.

1Password asking for permission each time

Former Member
3 years ago
floris_1P thanks for getting back to us. I gave the feature a try by configuring to be as permissive as possible (ask for approval once per new application + remember until 1Password quits), and the experience is much better than before. After having clicked through the prompt a couple times (once per application), I don't get any prompts during my regular workflow.

I would still prefer to have the permission be global for all applications. This would mimic the ssh-agent behavior and be more "transparent", as @hstenzel mentioned.

To me the value provided by the 1Password SSH integration is more about the key storage than about auditing key access. Which is why I would like to have as few prompts as possible.
Former Member
3 years ago
floris_1P what else can you say about this?

Is it once forever, or is it once per configurable period?

At the end of the day, I'm really looking for usage semantics similar to openssh's ssh-agent: if the key is in 1Password and 1Password is unlocked, then I can ssh with public key authentication transparently. I understand the tradeoffs associated with this decision, but if 1Password is unlocked and an attacker has access to my device, they can already steal my key. Why is the model for ssh keys accessed by agent different than the model for secrets accessed by the op command line or the gui?

Thanks, I'm looking forward to trying this enhancement.
floris_1P
1Password Team
3 years ago
barneydesmond @yboulkaid @verboese @hstenzel addy Stefan_Schulte In the latest beta, you can now configure the SSH agent authorization model to not prompt for each terminal tab, but only once per application. Let me know if that improves things for you!
Former Member
3 years ago
@voltboyee Which version of git do you have installed? You should have git 2.33 or above for prompting to work well on windows
Former Member
3 years ago
Using the SSH agent with GitKraken or VSCode on Windows is currently unusably annoying. Prompts every time it does a pull or fetch. I have tried updating 1Password to the latest beta build and the result is the same.
Stefan_Schulte
New Contributor
3 years ago
also +1 on additional config. It's fine to make a super secure default setting, as long as you let me and my teammates choose to configure it in a slightly less secure, but much more usable way.
addy
New Contributor
3 years ago
@"Marton.Soos_1P" +1 on additional config, we have microservices, so I typically have quite a few shells open at any given time.
Former Member
3 years ago
8.8.0~126.BETA anchors the session to fish, as expected.
Former Member
3 years ago
@psagers getting a prompt every time is definitely not the intended behavior of the agent. Could you file an SSH Diagnostics Report regarding the behavior you're experiencing. This could help us investigate and possibly fix this problem.
Former Member
3 years ago
barneydesmond, @hstenzel and addy having to authorize each terminal tab/session separately is the expected behavior of the SSH agent, but we are considering adding more configuration options around the authorization prompts, so stay tuned!

Forum Discussion

1Password asking for permission each time

Recent Discussions

Single login in tiled-terminal session

Repeated errors using git on CLI, VSCode

Azure container app provisioning not working

SCIM - Hosting Redis Externally

GPG support? (like SSH)