Forum Discussion

Former Member's avatar
Former Member
3 years ago

Agent doesn't work with Git inside a Node.js script using a SSH + SSO key on GitHub

I've been trying to switch to using the 1P SSH Agent full-time and while it's working great for my regular servers' SSH and commit signing, the SSH Git(Hub) connections are giving me issues when git is ran from/by a Node.js script when using a key in a repo that uses https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-an-ssh-key-for-use-with-saml-single-sign-on

The problem

Considering the following SSH config:
```
Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

Host github.com
IdentityFile ~/.ssh/keys/github.pub
```

Where github.pub is the public key of an SSH key from my vault.

Using the git CLI in a regular context (fish shell 3.5.1 in iTerm2 3.5.0beta9) works fine and prompts the Agent like expected:

However, running inside the same repo but using the git command inside a script causes an error. Considering the following script:
```
import { exec } from "child_process";

(async () => {
exec(
'GIT_SSH_COMMAND="ssh -v" git pull',
{ cwd: process.cwd() },
console.log
);
})();
```

yields the following error when ran


debug1: SSH2_MSG_EXT_INFO received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/damien/.ssh/keys/github.pub ED25519 SHA256:4qAKLnbwSPfhZggpEDaJRo5SQe982Do8A6vOS6jAcEM explicit agent
debug1: Server accepts key: /Users/damien/.ssh/keys/github.pub ED25519 SHA256:4qAKLnbwSPfhZggpEDaJRo5SQe982Do8A6vOS6jAcEM explicit agent
sign_and_send_pubkey: signing failed for ED25519 "/Users/damien/.ssh/keys/github.pub" from agent: agent refused operation
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

With those interesting warnings in 1Password's log file when the script runs


WARN 2023-01-06T20:16:59.064 tokio-runtime-worker(ThreadId(6)) [1P:ssh/op-session-info/src/macos.rs:37] no top level process found, launchd is missing from process tree
WARN 2023-01-06T20:16:59.064 tokio-runtime-worker(ThreadId(6)) [1P:ssh/op-ssh-agent/src/lib.rs:426] Unable to get client_info for pid: 1077

My current (hacky) workaround

After battling for two days with my SSH config file I figured out a workaround. It's not pretty but it works fine:

  • Remove the Git bit from my main ssh config
  • Create another config file in .ssh, named config-git
  • Put the Git bit from before in that newly created file
  • Set the GIT_SSH_COMMAND value to ssh -F ~/.ssh/config-git
  • Export the private key of my Git SSH key
  • Run ssh-add --apple-use-keychain <path_to_key_file>
  • Now both a regular git pull and the script above works.

1Password Version: 1Password for Mac 8.9.12 (80912004)
Extension Version: Not Provided
OS Version: macOS 13.1
Browser:_ Not Provided

SSH

12 Replies

Show More
  • Former Member's avatar
    Former Member
    3 years ago

    Is this your full script or a minimal reproduction - is the environment via process.env passed along the full chain so things like DBUS_SESSION_BUS_ADDRESS env var available? You can obviously test this easy enough , try to diff the env output for times it works and times it doesnt

    ```
    exec(
    'env',
    { cwd: process.cwd() },
    console.log
    );

    ```

    btw, its kind of a guess that its DBUS_SESSION_BUS_ADDRESS based on

  • Former Member's avatar
    Former Member
    3 years ago

    It seems i can't edit my message but, after testing some more, the default configuration (one single file and the 1P agent globally) sometimes work and sometimes doesn't. It might work on one run of the script above but then won't on another one. It's all very weird.