Skip to main content
March 25, 2022
Question

1Password asking for permission each time

  • March 25, 2022
  • 58 replies
  • 10698 views

When using 1Password for storing my SSH keys, it asks for authentication (here: fingerprint) each time a key is accessed. This is different from handling passwords for e. g. web forms: As long as 1Password isn't locked, I can fill the password fields.
As I very often access different machines, this annoys me already after one day ...
Is it possible to disable that behaviour?


1Password Version: 8.7.0 (80700012)
Extension Version: Not Provided
OS Version: 12.2.1 (21D62)

58 replies

June 10, 2022

8.8.0~126.BETA anchors the session to fish, as expected.

June 10, 2022

@"Marton.Soos_1P" +1 on additional config, we have microservices, so I typically have quite a few shells open at any given time.

June 10, 2022

also +1 on additional config. It's fine to make a super secure default setting, as long as you let me and my teammates choose to configure it in a slightly less secure, but much more usable way.

July 11, 2022

Using the SSH agent with GitKraken or VSCode on Windows is currently unusably annoying. Prompts every time it does a pull or fetch. I have tried updating 1Password to the latest beta build and the result is the same.

July 13, 2022

@voltboyee Which version of git do you have installed? You should have git 2.33 or above for prompting to work well on windows

floris_1P
1Password Employee
July 20, 2022

@barneydesmond @yboulkaid @verboese @hstenzel @addy @Stefan_Schulte In the latest beta, you can now configure the SSH agent authorization model to not prompt for each terminal tab, but only once per application. Let me know if that improves things for you!

July 20, 2022

@floris_1P what else can you say about this?

Is it once forever, or is it once per configurable period?

At the end of the day, I'm really looking for usage semantics similar to openssh's ssh-agent: if the key is in 1Password and 1Password is unlocked, then I can ssh with public key authentication transparently. I understand the tradeoffs associated with this decision, but if 1Password is unlocked and an attacker has access to my device, they can already steal my key. Why is the model for ssh keys accessed by agent different than the model for secrets accessed by the op command line or the gui?

Thanks, I'm looking forward to trying this enhancement.

July 24, 2022

@floris_1P thanks for getting back to us. I gave the feature a try by configuring to be as permissive as possible (ask for approval once per new application + remember until 1Password quits), and the experience is much better than before. After having clicked through the prompt a couple times (once per application), I don't get any prompts during my regular workflow.

I would still prefer to have the permission be global for all applications. This would mimic the ssh-agent behavior and be more "transparent", as @hstenzel mentioned.

To me the value provided by the 1Password SSH integration is more about the key storage than about auditing key access. Which is why I would like to have as few prompts as possible.

November 26, 2022

Yeah - I'm coming from KeepassXC - where the SSH Agent doesn't prompt me at all (which I prefer) as long as the keychain is unlocked.

Given that I have background sync processes, backups, ssh sessions etc etc etc, getting prompted every 5 minutes is a royal pain in the butt.

December 10, 2022

I have enabled "Remember key approval: until 1Password quits" and "Ask approval for each new: application" and yet it still expires every time, and I have to re-authorize the agent when VSCode runs a background git pull.