Forum Discussion

Former Member's avatar
Former Member
4 years ago

SSH agent doesn't gracefully handle Apple Watch sleep mode

In the following scenario: * Biometric auth is enabled * I'm using the 1Password ssh agent * My Apple Watch is asleep because I'm up too late Instead of gracefully falling back to asking for...
SSH
EarthAura's avatar
EarthAura
Occasional Contributor
4 years ago

Same issue. It's quite easy to reproduce (although I don't know if these are the exact steps for turingmachine):

  1. Both Apple Watch and Touch ID are enabled
  2. Put Watch in Sleep mode
  3. Open a new terminal window
  4. SSH, when presented with the Touch ID dialogue, use the wrong finger until Touch ID
  5. Repeat 4 until all Touch ID attempts are depleted
  6. Now try SSH, it will notice Touch ID is no longer available, but it does think Apple Watch is available (even though it's in Sleep)
  7. The prompt "Approve with Watch to allow this." is shown, but quickly dismissed (by itself) and the error reported by OP is printed (each time the Watch vibrates and unlocks, but that's it)
  8. Lock Mac and unlock with password (Your password is required to re-enable Touch ID)
  9. SSH, Says "Touch ID or enter your password to allow this." (no longer prompting Watch?)
  10. Use Touch ID or password
  11. Try to SSH in a new session, only gives you option of "Touch ID now"
  12. Goto 3

There's also an annoying issue present in all of the above steps when SSH:ing. The Apple Watch will unlock & vibrate every time, but the option to approve is not present because it's in Sleep mode.

I also think the UI is inconsistent. Why is it not possible to approve via password, even as a fallback? Only in that one specific step? For me, my fingerprints are very bad, they essentially change by the minute so I can't reliably use Touch ID. It'd be nice to have a fallback when my Watch is in Sleep mode, but in most steps it's impossible to reach "enter password" stage.

Here are the logs from 7, although they're not very useful:


ERROR 2022-05-15T23:23:45.195 tokio-runtime-worker(ThreadId(189)) [1P:foundation/op-system-auth/src/apple.rs:135] Biometric unlock failed, system response: AuthenticationFailed
ERROR 2022-05-15T23:23:45.196 tokio-runtime-worker(ThreadId(7)) [1P:op-automated-unlock/src/lib.rs:294] Failed to authorize using system biometry: FailedToUnlockWithKeys(FailedSystemAuthenticationChallenge)
INFO 2022-05-15T23:23:45.196 tokio-runtime-worker(ThreadId(7)) [1P:ssh/op-ssh-agent/src/lib.rs:388] Session was not authorized