SSH Agent signs out too soon

Question

It's frustrating that the SSH Agent signs out when the computer itself locks. SSH Agent should have its own timeout.

The use case is that I start AI training jobs that run on a Vast.AI GPU, and after a few hours of training, I need to download output artifacts and model checkpoints with rsync, which uses SSH.

But because the SSH Agent locks when 1Password locks, I come back after a 4 hour GPU training job to find a 1Password password prompt, and a failed rsync download.

At this point, the GPU server has long since been shut down, and the whole job has been lost. Unless I'm sitting in front of the computer exactly when the job finishes, the artifact download will never be downloaded.

The only available workarounds are:

Changing the 1Password lock timeout to 4 or 8 hours, a drastic reduction in security.
An awkward and unnecessary round-trip to S3, which also means leading some credentials to the GPU server (Vast.AI servers are third-party spare GPU time, and I'm not comfortable sending credentials). And it's way less convenient.
Dropping 1Password and storing the Cert unencrypted in WSL. I can't run the WSL SSH-Agent, because the socket is routed to 1Password on the Windows side.

This compromise stinks, and it's only because the SSH key locks out when 1Password locks.

SSH Agent should have its own timeout independent of the 1Password UI lock. Long-running bash scripts are commonplace. This could be any backup or computation that needs to upload via SSH after several hours. 1Password is totally dead in the water for this, unless you drastically reduce all security, either with unencrypted certs, or a 1Password lock time so long that security is meaningless.

I thought for a while that this was because of Bash sub-shells, and the "Application" setting in the developer panel in SSH Agent. But even inside of the same shell, if I reduce the 1Password lock time to 1 minute, any SSH activity after that will promptly fail. It's terrible that you have to set the 1Password UI lock to match the longest Bash script you'll ever run, which can be hours.

1p_phil · Answer

Hi perhlom​ ,
Thanks for writing in. I will do some sleuthing internally here to see if there is a workaround for you in this situation. I'll write back as soon as I hear something.
Regards,Phil

jhundley · Answer

I would like to add that I have recently started using 1Password for business and immediately was attracted to using 1Password to store my SSH private keys as it simplifies a whole lot of things. But here I am a few days after getting going with it and end up on the same recent community request for the same feature I'm looking for.+1 this from me!&nbsp;I have somewhat worked around this by enabling a persistent ssh connection to server so the SSH key doesn't get revalidated unless the persistent connection closes. I use these settings in my SSH config        ControlMaster auto
        ControlPath ~/.ssh/ssh-%r@%h:%p
        ControlPersist 1800
        ForwardAgent yes
        ServerAliveInterval 10&nbsp;

Forum Discussion

SSH Agent signs out too soon

2 Replies

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

[Linux] Use $XDG_RUNTIME_DIR instead of $HOME/.1password?

Use XDG_RUNTIME_DIR for agent.sock

Environments: any plans for CLI/API support?

1Password Environments Beta is awesome

"Connection Refused" when accessing 1Password ssh-agent within DevContainer