Skip to main content
July 21, 2022
Question

SSH agent terminal password prompt?

  • July 21, 2022
  • 4 replies
  • 1167 views

I've started using the 1Password SSH agent, and in my regular day-to-day work at my desktop PC it works great!

However, if I'm not in my office, I tend to do a lot of work from my laptop using the remote SSH option in VS Code, or simply SSH to the PC and then work from within that terminal session. In those cases, whenever I do eg. 'git push' or something, I get prompted for my login password.. with a GUI popup on the desktop-attached monitor, which I can't see or respond to of course.

Is there any way of working around this, so that I don't have to set up a separate non-1P SSH key for this use case?


1Password Version: 8.7.3
Extension Version: Not Provided
OS Version: Fedora 36
Browser:_ Not Provided

4 replies

floris_1P
1Password Employee
July 21, 2022

Do you have 1Password installed on your host machine? If so, then that sounds like a perfect case for SSH agent forwarding, which you can enable in your VS Code setup so you can use your local agent and rely on your local '1Password lock state' instead of the one on the remote host.

July 25, 2022

Thanks -- yes, I do!

I've tried it out, and it seems to work as expected. However, it doesn't play well with the default setup recommended in the 1Password docs (eg. setting IdentityAgent for Host * in ~/.ssh/config), as then the remote host still tries to use its local 1Password agent.

Will see if I can play around a bit with a .bashrc script to set SSH_AUTH_SOCK to the 1Password agent only for local logins, and leave it untouched for remote logins over SSH.

floris_1P
1Password Employee
July 25, 2022

You could look for SSH_TTY which will be set in your remote shell, and if it's not set then configure SSH_AUTH_SOCK.

July 26, 2022

Yep, I added this section to my ~/.bashrc and disabled the IdentityAgent setting in ~/.ssh/config on both of my machines:

```bash

Enable 1Password SSH agent

We do this by setting up SSH_AUTH_SOCK, but only for local sessions (SSH_TTY

is unset); if SSH_TTY is set, however, assume that it's a remote session, and

that SSH agent forwarding is active, so we should leave SSH_AUTH_SOCK alone

if [ -z "$SSH_TTY" ]; then
export SSH_AUTH_SOCK=~/.1password/agent.sock
fi
```

Would be nice if this use case was covered, maybe in https://developer.1password.com/docs/ssh/agent/advanced or something?