Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Agent doesn't work with Git inside a Node.js script using a SSH + SSO key on GitHub
I've been trying to switch to using the 1P SSH Agent full-time and while it's working great for my regular servers' SSH and commit signing, the SSH Git(Hub) connections are giving me issues when git is ran from/by a Node.js script when using a key in a repo that uses https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-an-ssh-key-for-use-with-saml-single-sign-on
The problem
Considering the following SSH config:
```
Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
Host github.com
IdentityFile ~/.ssh/keys/github.pub
```
Where github.pub is the public key of an SSH key from my vault.
Using the git CLI in a regular context (fish shell 3.5.1 in iTerm2 3.5.0beta9) works fine and prompts the Agent like expected:
However, running inside the same repo but using the git command inside a script causes an error. Considering the following script:
```
import { exec } from "child_process";
(async () => {
exec(
'GIT_SSH_COMMAND="ssh -v" git pull',
{ cwd: process.cwd() },
console.log
);
})();
```
yields the following error when ran
debug1: SSH2_MSG_EXT_INFO received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/damien/.ssh/keys/github.pub ED25519 SHA256:4qAKLnbwSPfhZggpEDaJRo5SQe982Do8A6vOS6jAcEM explicit agent
debug1: Server accepts key: /Users/damien/.ssh/keys/github.pub ED25519 SHA256:4qAKLnbwSPfhZggpEDaJRo5SQe982Do8A6vOS6jAcEM explicit agent
sign_and_send_pubkey: signing failed for ED25519 "/Users/damien/.ssh/keys/github.pub" from agent: agent refused operation
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
With those interesting warnings in 1Password's log file when the script runs
WARN 2023-01-06T20:16:59.064 tokio-runtime-worker(ThreadId(6)) [1P:ssh/op-session-info/src/macos.rs:37] no top level process found, launchd is missing from process tree
WARN 2023-01-06T20:16:59.064 tokio-runtime-worker(ThreadId(6)) [1P:ssh/op-ssh-agent/src/lib.rs:426] Unable to get client_info for pid: 1077
My current (hacky) workaround
After battling for two days with my SSH config file I figured out a workaround. It's not pretty but it works fine:
- Remove the Git bit from my main ssh config
- Create another config file in
.ssh, namedconfig-git - Put the Git bit from before in that newly created file
- Set the
GIT_SSH_COMMANDvalue tossh -F ~/.ssh/config-git - Export the private key of my Git SSH key
- Run
ssh-add --apple-use-keychain <path_to_key_file> - Now both a regular
git pulland the script above works.
1Password Version: 1Password for Mac 8.9.12 (80912004)
Extension Version: Not Provided
OS Version: macOS 13.1
Browser:_ Not Provided
12 Replies
Jack_P_1P1Password Team
Hey @Eramdam:
Glad to hear it! Let us know how it goes. 🙂
Jack
- Jack_P_1P
Hi @Eramdam:
Thanks for following up, and I'm sorry that you had to revert to the regular SSH agent here. As Peter mentioned, we're actively working on improvements here.
Jack
1P_PeterGCommunity Manager
HI @sitepodmatt, I'm sorry to learn that the SSH agent hasn't met your needs. There are some improvements coming which we hope will improve your experience substantially. Stay tuned for updates ahead - we'll be happy to have your feedback.
Suggestion. 1password ssh-agent is a buggy disaster, possibly on-par with 1pw v8 ios faceid ongoing saga..
create an ssh-agent per invocation, read in the required key, launch node (the env is ready here with SSH_AUTH_SOCK) and key added, run your script, kill the temporal ssh-agent, job done - no depedency on the terrible 1pw ssh-agent
e.g. a shell script like this call push.sh
```
!/bin/bash
eval
ssh-agent
ssh-add <(op read "op://Personal/BitbucketKey/private key")
node myscript.js
kill "$SSH_AGENT_PID"
```Note
op(1pw clumsy CLI) doesn't have a local cache like bitwarden's so expect an extra ~second latency here. No need for any other 1pw crap on your CI/CD box other than CLI tool . Good luck, lmk if any questionsRemove the remote API dependency if you migrate to Bitwarden
Okay so: regular
gitoperations within the affected repos work fine with the default configuration but runninggitinside the provided simple Node script still fails randomly.The deploy script we use at work basically does this
```ts
import {exec} from 'child_process';(async () => {
exec('git rev-parse ....', {cwd: process.cwd()}, () => {
exec('git fetch ...', {cwd: process.cwd()}, () => {
exec('git log ...', {cwd: process.cwd()}, () => {
exec('git push origin foo:bar', {cwd: process.cwd()}, console.log);
});
});
});
})();
```So I'll run into situations where the
git fetchsucceeds but not the finalgit push, or vice versa or sometimes everything will work or sometimes nothing will. I'm starting to think that when it works it's "by accident" because I can't figure out a clear pattern 😞This is all while running 1Password for Mac 8.10.0 (81000012)
