Skip to main content
March 25, 2022
Question

1Password asking for permission each time

  • March 25, 2022
  • 58 replies
  • 10698 views

When using 1Password for storing my SSH keys, it asks for authentication (here: fingerprint) each time a key is accessed. This is different from handling passwords for e. g. web forms: As long as 1Password isn't locked, I can fill the password fields.
As I very often access different machines, this annoys me already after one day ...
Is it possible to disable that behaviour?


1Password Version: 8.7.0 (80700012)
Extension Version: Not Provided
OS Version: 12.2.1 (21D62)

58 replies

floris_1P
1Password Employee
May 10, 2022

@aurimasniekis @ttyS0 @bryanburns The issue of many consecutive prompts piling up has been fixed. Can you see if it works for you now?

@verboese @kvnvelasco @barneydesmond We're hard at work to fix the cases where you get prompted again for every single request. To help us there it would be great if you could provide us with an SSH diagnostics report.

May 11, 2022

Behavior looks much better now, thanks so much!

May 11, 2022

@bryanburns That's awesome to hear!!!! Thanks for getting back to us.

May 14, 2022

I now understand that the repeated prompts for password/fingerprint is a security feature more than a bug. The reason for this is that each terminal tab has its own process ID and that's why the authorisation for accessing the key is required again.

May 18, 2022

I've had a chance to give it a try again and the behaviour looks better now, probably correct in terms of behaving as intended. That said, I don't think it's yet practical for me. Echoing verboese's comment above, I think I understand how it's working now. Within a single terminal window it works great, but not across multiple windows - it's a separate unlock for each window/process.

Is there any chance this could become a configurable thing? I'd be quite happy for it to be an all-or-nothing situation, as I'm often using multiple SSH keys in multiple different terminals. I could probably reduce it to a single SSH key, but I'd want that key to be available to all processes once I've unlocked 1Password for the session (subject to normal lock-on-idle and lock-on-sleep behaviours).

May 18, 2022

I'm also definitely seeing much more frequent prompts than I would expect (1Password for Mac 8.7.0). It's not every time, but it is much more frequent than I would expect given the selections I've made in Preferences --> Security --> Auto-lock.

It occurs to me that 1Password does not require that I unlock separately for each browser or browser tab, but it does require me to unlock separately for each terminal / terminal tab and that the behavior isn't configurable.

I'm not sure if this is the intended or expected result, but it is still frustrating. Unless I can find a better workaround, I'll have to revert to using openssh agent for my most commonly used keys. Any suggestions or workarounds?

May 24, 2022

I just tried setting this up and got the prompt-every-time behavior, but I managed to isolate the (proximate) cause. More or less.

I'm running Ubuntu 22.04 with the built-in GNOME Terminal. My login shell is the default /usr/bin/bash, but Terminal is configured to run fish from homebrew (/home/linuxbrew/.linuxbrew/bin/fish). When I run ssh from fish, the authentication prompt says that "/usr/bin/ssh" is trying to access the key. Every ssh command triggers this prompt.

If I open a terminal window running bash, then the prompt says that "/usr/bin/bash" is the process trying to access the key. Now it establishes a session with the shell and subsequent uses are waved through. I tried adding (the full path to) fish to /etc/shells, but that didn't change anything. Interestingly, if I manually run bash from within fish, 1password again links the session to bash.

Presumably 1Password is interrogating the process list and doing something sneaky to figure out which process should own a given session. Sounds like a hard problem and it's not too surprising that it involves some easy-to-break assumptions. If there's no way to get this right in all reasonable cases, I would certainly not object to some advanced configuration in which I can identify specific binaries that should be allowed to anchor SSH agent sessions.

In fact, if such a thing were in place, it becomes easy to imagine designating one's terminal application itself as the anchor, if one prefers a single session across multiple tabs. Hypothetically.

June 8, 2022

I am still getting the prompt on Mac on each terminal open (iTerm2 & VS Code Terminal). I am using the Beta pipeline of the 1Password and have the SSH Agent configured properly (according to the UI).

June 10, 2022

@barneydesmond, @hstenzel and @addy having to authorize each terminal tab/session separately is the expected behavior of the SSH agent, but we are considering adding more configuration options around the authorization prompts, so stay tuned!

June 10, 2022

@psagers getting a prompt every time is definitely not the intended behavior of the agent. Could you file an https://1password.community/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdeveloper.1password.com%2Fdocs%2Fssh%2Fagent%2Ftroubleshooting%2F regarding the behavior you're experiencing. This could help us investigate and possibly fix this problem.