SSH agent: don't prompt for authorization when vault is unlocked

Hi, Trying out the new ssh agent. I am noticing it prompts in the app to accept for every time it is used. I would prefer to use it if the vault is unlocked. This probably could be a toggable feature for folks that want more security, but I don’t think it desirable to keep having to prompt for this.

Coming from using KeePassXC on WIN/Linux/Mac and ssh agent integration is the only reason I still have that around

19 Likes

@alf Welcome to the forum!

… and so, your feature request would be that the SSH agent should keep prompting for authorization? (that’s more or less the title of your request)

It’s the opposite actually, I do not wish BW to prompt if the vault is unlocked, just use the keys.

Doesn’t seem like I can change the title. I posted my issue instead of the desired feature I guess.

… I just renamed the title… It now represents more what your request actually is… Hope it is okay like this.

1 Like

To add a use case: Many Git GUI tools periodically fetch data in the background. Every time this happens, Bitwarden will pop up into the foreground stealing focus.

6 Likes

Also when working with linux on a console, type ssh Server, and suddenly bitwarden open, makes working difficult if you work with many server, in a short time

I can’t vote, but a +1 on this. I use VS Code a lot and it tries to keep the git repositories up-to-date in the background requiring me to hit “authorize” every time.
On top of that, when Bitwarden is open on a different desktop (Linux) it doesn’t steal focus automatically so I’m sometimes waiting for a git push that seems to hang, only realizing after 10 seconds I have to go to Bitwarden to authorize.

I’m now going to switch back to the standard ssh-agent to avoid this.

4 Likes

I registered specifically to comment on this issue. Whenever I leave lazy-git open in one tab, and it checks for commits in the background, Bitwarden steals the focus, causing a pop-up to appear. This occurs frequently and is quite frustrating.

I was pretty surprised to see the functionality as well and pretty much limits the usefulness of this feature.

I would up vote but I don’t know the discorse ritual to perform to get votes.

1 Like

Have similar experience/issue as @Remco_Beckers.
Would love this.
I’m also using periodic fetch on repos.
Also vscode itself does periodic ssh check while connected via remote-ssh - when working on remote machine bitwarden pops-up asking for authorization every few minutes.

2 Likes

Same here. Joined the community to raise my voice. Can’t vote, but the introduction of the ssh-agent earlier this year excited me, I even gave up the TouchID authentication for the browser extension in MacOS so I could use this feature as it’s not available in the App Store version.

There should be a way to allow list clients or destinations to avoid this break in user flow. Sometimes the BW app would steal focus, sometimes it won’t. As others have mentioned, VSCode, in particular, is triggering the popup a lot.

1 Like

I too registered to voice my support. The number of times I try to ssh into a server and think something is wrong only to notice that bitwarden is waiting on another monitor for confirmation. If there is a security reason for this, could we get an option to play a sound when bitwarden needs attention? At least then I’d hear a unique sound that would remind me that bitwarden is waiting.

I figured I would get into the habit of being ready to accept, but a few months in and I still forget sometimes. As others have said, VSCode will try to auth at random so you aren’t even expecting to have to click accept.

1 Like

On VScode, if you disable the automatic git fetch in settings, it will reduce those background connections

1 Like

Similarly to others, I just registered to support this. Super nice to have the feature, but having this pop up regularly makes it more cumbersome than it needs to be.

3 Likes

Can you try the following to cache the key ?

´´´
eval keychain --quiet --eval --agents ssh id_ed25519 2>&1 >/dev/null

´´´

Here a patch to disable the popup.

diff --git a/apps/desktop/src/autofill/services/ssh-agent.service.ts b/apps/desktop/src/autofill/services/ssh-agent.service.ts
index 6522ef1950..d4cefa70dd 100644
--- a/apps/desktop/src/autofill/services/ssh-agent.service.ts
+++ b/apps/desktop/src/autofill/services/ssh-agent.service.ts
@@ -165,20 +165,7 @@ export class SshAgentService implements OnDestroy {
               .signRequestResponse(requestId, false)
               .catch((e) => this.logService.error("Failed to respond to SSH request", e));
           }
-
-          const cipher = ciphers.find((cipher) => cipher.id == cipherId);
-
-          ipc.platform.focusWindow();
-          const dialogRef = ApproveSshRequestComponent.open(
-            this.dialogService,
-            cipher.name,
-            application,
-            isAgentForwarding,
-            namespace,
-          );
-
-          const result = await firstValueFrom(dialogRef.closed);
-          return ipc.platform.sshAgent.signRequestResponse(requestId, result);
+          return ipc.platform.sshAgent.signRequestResponse(requestId, true);
         }),
         takeUntil(this.destroy$),
       )
2 Likes

great, but I don’t think a patch is what we’re looking for.

An option to always allow access to a specific / to all key(s) should probably be a feature. That, or keeping it available for a specifiable time, like 20 mins (which is what openssh’s ssh-agent does iirc)

1 Like

This is the single biggest detriment to using Bitwarden for me: the incessant interruptions to reacknowledge use of a key. This adds incredible friction to all sorts of workflow.

Please enable either the ability to approve once and continue until reset/lock (that setting already exists), or at least allow a timer to cache approval.

Can’t believe I’m reading a post about this, this should already have a solution!!! fix this please! it’s annoying, I get this popped up 3 times per ssh because of my nicely configured ssh config with wildcards.

1 Like

I have just switched to using BitWarden’s ssh agent, but this restriction makes completely impossible to use.

Usages like ansible will require dozens if not hundreds of ssh executions for a moderately sized playbook or host pool.