Keyring isn't suid on nixos

I have the full experience working ;) With some (motivational) help, keeping me on track, I got down into the deepness of polkit-debugging (https://wiki.archlinux.org/title/Polkit#Debugging/logging).

As the SSH-Auth relays on system-authentication (and so on polkit) it was really helpful for me while debugging, so I didn't had to lock/unlock my vault again for testing over and over. (just for anyone following me on the path)

1. SSH-Keys in non Standard/Personal-Vault
   Please make some hints in SSH-Key type Items in the App -> in such Vaults that they will not work. Having it in the docs is nice but as it could be interpreted different (see above - maybe my fault) this would be an improvement I guess. I hope in the long-term all non-shared (first) and later even shared (maybe keys shared without ability to download/view them for teams? ;)) Vaults are possible.

2. export SSH_AUTH_SOCK=~/.1password/agent.sock
   It help's a lot seeing/debugging the content of the keyring - for me it's part of "setup your system with 1password as ssh-auth-provider" so it would be in the snippet/getting started in the app (like the .ssh/config-thing) then in the docs (additional docs - again I love it)

3. Debugging further

with journalctl -feu polkit.service and


security.polkit = {
enable = true;
extraConfig = ''
polkit.addRule(function(action, subject) {
polkit.log("action=" + action);
polkit.log("subject=" + subject);
});
'';
}


and ssh -v root@XXX.XXX.de I was able to see in the journalctl related actions popping up. I was curios and adapted something I've seen on the ArchWiki page with the debug-output and I got it working the first time but with a hardcoded wildcard on the action:

```
security.polkit = {
enable = true;
extraConfig = ''
polkit.addRule(function(action, subject) {
polkit.log("action=" + action);
polkit.log("subject=" + subject);
});

    if (action.id == "com.1password.1Password.authorizeSshAgent") { 
        return polkit.Result.YES;
    }
'';

}
```
DONT USE THIS IT COMPROMISE YOUR SECURITY

1. Conclusion and solution

From then on I knew that there is something in my environment missing, what's prompting me for authorization when such a polkit action/event occurred. Originally searching for something like polkit-explorer-git (earlier) I saw the package polkit_gnome. Then I had some luck that one of my colleges also using i3wm had already implemented polkit_gnome in his config as systemd user-service in nixos:


systemd = {
user.services.polkit-gnome-authentication-agent-1 = {
description = "polkit-gnome-authentication-agent-1";
wants = [ "graphical-session.target" ];
wantedBy = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
};


For me personally it's more a user-managed thing so I moved it to my home-manager config, it works fine and the service-definition looks like this:

```
systemd.user.services = {
polkit-gnome-authentication-agent-1 = {
Unit = {
After = [ "graphical-session-pre.target" ];
Description = "polkit-gnome-authentication-agent-1";
PartOf = [ "graphical-session.target" ];
};

Service = {
  ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
  Restart = "on-failure";
  RestartSec = 1;
  TimeoutStopSec = 10;
  Type = "simple";
};

Install = {
  WantedBy = [ "graphical-session.target" ];
};

};
};
```

I hope I can give something back to others in the community with this (maybe too detailed) trip-report with polkit these days ;)

Best Regards

Okay, I somehow solved it partially:

I had my keys in different Vaults (other than the default) and interpreted "Open and unlock 1Password, then navigate to your Personal or Private vault." with any private vault otherwise I would have expected the hint with only Personal/Default Vault :)

Now as I moved my keys to Personal I can see them all with ssh-add -L but when I try to connect:


❯ ssh root@vmh01.XXX.de
sign_and_send_pubkey: signing failed for ED25519 "XXX SSH-Key" from agent: agent refused operation
root@vmh01.XXX.de: Permission denied (publickey).


I guess it's related to the other issues where system authentication is not working (maybe polkit?) I will try to look into this :)

Hmm, I tried SSH-Again after recreating the keys in 1password and testing it on a mac (where it worked). I've changed my config to:


Host *
IdentityAgent ~/.1password/agent.sock


and can see the socket:


❯ ls -al ~/.1password/agent.sock
Permissions Size User Date Modified Name
srw------- 0 sebtm 30 Mar 23:16  /home/sebtm/.1password/agent.sock


But every try to connect to one of my hosts (working again on mac) I get:


❯ ssh root@vmh01.XXXX.de
root@vmh01.XXXX.de: Permission denied (publickey).
❯ ssh root@ns27.XXXX.de
root@ns27.XXXX.de: Permission denied (publickey,keyboard-interactive).
❯ ssh root@10.10.XX.1
root@10.10.XX.1: Permission denied (publickey).


I've also tried to reset the whole 1Password app by renaming .config/1password and setup the account fresh but it doesn't help with my ssh-feature nor the system-authentication issues :/

Hey @DAlperin, @Savanni,

thanks for your answers and sharing your config (want to do it but have to take care of secrets before - when I find time :/). I'm running my system on NixOS-Unstable (current rev: ce8cbe3c01fd8ee2de526ccd84bbf9b82397a510) and HomeManager-Master (current rev: 888eac32bd657bfe0d024c8770130d80d1c02cd3) - my uname -a is: Linux XXX 5.15.30 #1-NixOS SMP Sat Mar 19 12:47:51 UTC 2022 x86_64 GNU/Linux

I've changed the config part for 1password to:
```
programs = {
_1password-gui = {
enable = true;

groupId = 5001;
polkitPolicyOwners = [ "sebtm" ];

};
};
```

The current rev I'm using is also including the initial module from @Savanni. I can see in /etc/group that the group is created with the according gid.

Ah nice, then it will be fixed in the next big release that's fine for me :) For the transparency thing I use picom (home-manager module) and this is my config:
```
picom = {
enable = true;

  activeOpacity = "0.96";
  blur = true;

  fade = true;
  fadeSteps = [ "0.05" "0.05" ];

  inactiveDim = "0.10";
  inactiveOpacity = "0.94";

  menuOpacity = "0.96";
  opacityRule = [ "100:name *= 'i3lock'" ];
  shadow = true;
};

```

Worked for me out-of-the-box with no issues.

For the SSH-Agent thing I'm on it seems that I have to recreate my keys in 1Password (as I stored them there before as files) will check that the next days.

Thanks for your (all) support and maybe we will sort it out until you are back on NixOS :)

Best Wishes

Edit: Just one thing added up I had only mentioned in one sentence so no worry :) Is there a reason that we lose the right click menu to the tray Icon if quick access for left clicks is enabled? This would be really nice to see :)

@DAlperin actually, that override was only necessary for a few days. polkitPolicyOwners is now a parameter on the module on the unstable channel.

@SebTM Lots of things for me to absorb here, so I'll try to take it point-by-point.

The nested menu is not particularly nice, but it seems that we fixed that by 8.7.0-28. I'm not sure exactly when, though. Also, in your screenshot, did you make the window somewhat transparent? I'm seeing texturing that I know we don't have in the app since Electron doesn't support transparency on Linux (no idea why, but it's so documented... Linux has only had transparency since, oh 2002).

SSH agent should be working. I just tried it out and even got it to work with the fingeprint reader. Could you check your ~/.ssh/config to ensure that it is delegating to the socket?

Unfortunately, I'm having to switch off of the NixOS installation. I'm only able to test today since I put it back on to test the new op module that another Nix contributor has open in MR. But I owe a similar amount of work to the Flatpak users, and the only way for me to get that done is to switch over to the Flatpak installation for a few weeks. :D

@SebTM, out of curiosity what version of nixos are you running. Could you also copy and past the result of uname -a? Here is my config since I know that's working so feel free to poke around and see if you notice any glaring differences: https://github.com/DAlperin/dotfiles. If your config is public shoot me a link and I can take a look later this week and see if I notice anything, my gut says there is something weird going on with whatever version of nixos and or the kernel you are running but I'm not sure.

thx for the suggestion, I thought this was already resolved

Oops yeah, realized I was on an older version of the module from before the PR was opened, my bad.

Keyring-Helper:

INFO 2022-03-24T16:43:30.650 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T16:43:30.650 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:255] process detected it was running without libc's security, aborting
INFO 2022-03-24T17:09:55.721 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T17:09:55.723 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
INFO 2022-03-24T17:15:00.504 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T17:15:00.506 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
INFO 2022-03-24T17:15:41.053 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T17:15:41.055 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
INFO 2022-03-24T17:19:21.397 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T17:19:21.399 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
INFO 2022-03-24T17:37:13.313 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T17:37:13.315 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0


Puhh this forum gets me done - please extend the max post-size when using code-tag or allow file attachments (if mime-type is text).

Keyring-Helper:

INFO 2022-03-24T16:43:30.650 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T16:43:30.650 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:255] process detected it was running without libc's security, aborting
INFO 2022-03-24T17:09:55.721 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T17:09:55.723 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
INFO 2022-03-24T17:15:00.504 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T17:15:00.506 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
INFO 2022-03-24T17:15:41.053 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T17:15:41.055 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
INFO 2022-03-24T17:19:21.397 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T17:19:21.399 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
INFO 2022-03-24T17:37:13.313 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
ERROR 2022-03-24T17:37:13.315 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0


Puhh this forum gets me done - please extend the max post-size when using code-tag or allow file attachments (if mime-type is text).

@DAlperin thx for the suggestion, I thought this was already resolved as I saw in the PR this is done with programs._1password-gui.polkitPolicyOwners value in the module. (I cherry-picked the commits local)

I also tried it with the following now:

```
programs._1password-gui = {
enable = true;

  groupId = 5001;
  package = pkgs._1password-gui.override (
    { polkitPolicyOwners = ["sebtm"]; }
  );
  polkitPolicyOwners = [ "sebtm" ];
};

```

But system-authentication (unlocking 1Password with fingerprint like unlocking i3lock-color which already works) still not works the screen just shaking like it's not recognizing the fingerprint but compared( (I would guess) it takes to less time to really use/check the device.

@SebTM Wherever you install 1pass (home.packages, systemPackages, etc) replace _1password-gui or pkgs._1password-gui with pkgs._1password-gui.override ({ polkitPolicyOwners = ["YOURUSERHERE"]; })) but replace YOURUSERHERE with your username (add any other users of the system you want it to work with as well) and let me know if it works.