Problem:
Currently, approving SSH requests in Bitwarden requires unlocking the entire vault. Once unlocked, the vault remains open until it timeouts or is explicitly relocked. In environments where the SSH agent feature is used frequently, this results in the vault staying unlocked far longer than necessary, increasing the risk of unintentionally exposing our own passwords (e.g., in public places)
Proposed Improvement:
I believe a more correct workflow would be to allow the user to authenticate and approve SSH requests without unlocking the full vault. This would separate SSH authentication from password vault access, even though both actions would still rely on the same underlying credentials (e.g., master password or biometric verification).
Benefits:
- Principle of least privilege:
When users verify an SSH request, they do not necessarily intend to access the passwords stored in the vault. This change would respect functional separation and reduce overexposure. - Reduced risk of accidental exposure:
Limiting the access to the full vault when this is not required prevents the unintended exposure of sensitive data such as passwords, or OTPs. - User experience consistency:
Users are explicitly asked to input the password when an ssh request needs to be verified. Thus, their expectation is that the authentication is only finalized at the approval of that request.