Agent doesn't work with Git inside a Node.js script using a SSH + SSO key on GitHub
I've been trying to switch to using the 1P SSH Agent full-time and while it's working great for my regular servers' SSH and commit signing, the SSH Git(Hub) connections are giving me issues when git is ran from/by a Node.js script when using a key in a repo that uses https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-an-ssh-key-for-use-with-saml-single-sign-on
The problem
Considering the following SSH config:
```
Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
Host github.com
IdentityFile ~/.ssh/keys/github.pub
```
Where github.pub is the public key of an SSH key from my vault.
Using the git CLI in a regular context (fish shell 3.5.1 in iTerm2 3.5.0beta9) works fine and prompts the Agent like expected:
However, running inside the same repo but using the git command inside a script causes an error. Considering the following script:
```
import { exec } from "child_process";
(async () => {
exec(
'GIT_SSH_COMMAND="ssh -v" git pull',
{ cwd: process.cwd() },
console.log
);
})();
```
yields the following error when ran
debug1: SSH2_MSG_EXT_INFO received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/damien/.ssh/keys/github.pub ED25519 SHA256:4qAKLnbwSPfhZggpEDaJRo5SQe982Do8A6vOS6jAcEM explicit agent
debug1: Server accepts key: /Users/damien/.ssh/keys/github.pub ED25519 SHA256:4qAKLnbwSPfhZggpEDaJRo5SQe982Do8A6vOS6jAcEM explicit agent
sign_and_send_pubkey: signing failed for ED25519 "/Users/damien/.ssh/keys/github.pub" from agent: agent refused operation
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
With those interesting warnings in 1Password's log file when the script runs
WARN 2023-01-06T20:16:59.064 tokio-runtime-worker(ThreadId(6)) [1P:ssh/op-session-info/src/macos.rs:37] no top level process found, launchd is missing from process tree
WARN 2023-01-06T20:16:59.064 tokio-runtime-worker(ThreadId(6)) [1P:ssh/op-ssh-agent/src/lib.rs:426] Unable to get client_info for pid: 1077
My current (hacky) workaround
After battling for two days with my SSH config file I figured out a workaround. It's not pretty but it works fine:
- Remove the Git bit from my main ssh config
- Create another config file in
.ssh, namedconfig-git - Put the Git bit from before in that newly created file
- Set the
GIT_SSH_COMMANDvalue tossh -F ~/.ssh/config-git - Export the private key of my Git SSH key
- Run
ssh-add --apple-use-keychain <path_to_key_file> - Now both a regular
git pulland the script above works.
1Password Version: 1Password for Mac 8.9.12 (80912004)
Extension Version: Not Provided
OS Version: macOS 13.1
Browser:_ Not Provided
