Skip to main content
stoutZero
July 21, 2025
Solved

1Password ssh agent & ssh key on disk

  • July 21, 2025
  • 3 replies
  • 379 views

Hi,

I have enabled 1Password ssh agent, and checked that 1Password touch id prompt is showing up & working when I connected to a different machine via ssh.

 

*Tangent:

Why is pasting in this textarea so annoying? Was trying to change multiple "1P" into "1Password" by  selecting it, then pasting into it; but I have to paste it, undo, then paste it again; when I pasted something without selecting anything, a newline was inserted before and after the thing I pasted

 

I also see that 1Password Watchtower listed these two warnings: "Unencrypted" & "Already in 1Password" for every ssh key I have in `~/.ssh/keys`.

Wanting to please the Watchtower, I then moved away all the keys in `~/.ssh/keys`, but somehow ssh now asked for password?

I then replicate the keys but with no content, ssh still asks for password.

When I moved back all the keys, only then 1Password TouchId prompt work again.

Am I doing something wrong? I'm expecting that I don't actually need the ssh keys physically on disk when I used 1Password's ssh agent.

I checked `~/.ssh/config` file, and it did have the neccessary `IdentityAgent` config.

I guess I just don't quite understand how 1Password's ssh agent is supposed to work.

The information on 1Password's ssh agent in the documentation is rather minimum.

Any help and / or clarification would be appreciated.

Thanks.

Best answer by floris_1P

Hey @stoutZero, you can in fact use `IdentitiesOnly yes` + `IdentityFile` with the 1Password SSH agent, but then point `IdentityFile` to the public key instead of the private key. The private key can be stored in 1Password with only the .pub file on disk.

3 replies

July 21, 2025

Hi @stoutZero ,

Thanks for writing in.  The authentication pattern should be independent of the SSH Key situation. Would you be able to send us a note at mailto:support@1password.com ?

Thanks,
Phil

stoutZero
stoutZeroAuthor
July 22, 2025

Done

stoutZero
stoutZeroAuthor
July 22, 2025

After mailing the 1Password's support, Juraj Stolc (CX Technical Representative) told me that the `IdentitiesOnly yes` in my local ssh config is preventing me from deleting my local ssh keys.

I then have to remove the `IdentityFile` key for each hosts.

But the point of having `IdentityFile` for each hosts is so that:

  1. No single ssh key leak will expose all of my remote machines to attackers
  2. Enables SSH agent to just offer a single ssh key to a single remote machine

 

I tried removing `IdentitiesOnly` & `IdentityFile` for a single VPS in a different country.

The result? `fail2ban` in that VPS blocked my ip because 1Password tried to offer all 70+ of my SSH keys.

I have had to remove the blacklist via a web based console, which is not a pleasant experience.

Disclaimer:

This is not me disparaging the use of 1Password's ssh agent, if it works for you go for it :)

For me, I have had to keep 60+ ssh keys for my client's machines, including bare metal ones, because they don't have a password manager (and because they're not a devops person). And another 10 ssh keys for my own machines.

I don't actually have 70 machines that I manage on a daily basis. The fact that 1Password's ssh agent cannot perfectly replicate this configuration in my local ssh config:

# connect using: `ssh file1` in your terminal
Host file1
	User user1
	HostName 10.90.1.1
	Port 22
	IdentityFile ~/.ssh/keys/user1@file1

# connect using: `ssh file12` in your terminal
Host file12
	User user2
	HostName 10.90.1.1
	Port 22
	IdentityFile ~/.ssh/keys/user2@file1

is a deal breaker for me.

Anyway, thank you @1P_Phil & Juraj Stolc for your replies

Cya.

floris_1P
floris_1PAnswer
1Password Employee
July 23, 2025

Hey @stoutZero, you can in fact use `IdentitiesOnly yes` + `IdentityFile` with the 1Password SSH agent, but then point `IdentityFile` to the public key instead of the private key. The private key can be stored in 1Password with only the .pub file on disk.

stoutZero
stoutZeroAuthor
July 24, 2025

Yep! That works!

Right now there are no ssh private keys on disk, which is exactly what I wanted.

Thanks.