Skip to main content
Ryan_Parman
February 24, 2022
Question

[Feature Request] Using 1P SSH from inside a local Docker container

  • February 24, 2022
  • 39 replies
  • 6393 views

My team and I regularly use Docker for lightweight local environments that are pre-configured with things we need to develop that project. (It helps avoid things like "works on my machine".) If I need to work on a Terraform module, I can launch the Docker environment that has all the tools I need pre-installed and ready-to-go, and I can make my changes, run tests, and perform all sorts of general software development tasks. When I'm done, I press Ctrl+D.

We can easily read specific environment variables from the host environment and pass them into the Docker environment (e.g., AWS credentials, Terraform variables), and for Git, we can mount the local SSH directory into the container in read-only mode so that we can fetch and push (-v ~/.ssh:/root/.ssh:ro) to GitHub Enterprise.

Herein lies the problem with migrating the SSH keys into 1Password and not having them on-disk. There's nothing to mount, and 1Password only runs on the host. The low-fi solution is to keep my SSH keys on-disk for Docker, while copying them into 1P for use with that SSH agent, but then what's the point to using 1Password SSH?

A higher-fi solution (since this is desktop-use Docker; not for deployment) would be the ability to mount a unix socket from the host into the Docker container, and have some kind of tiny agent built for Linux (namely Alpine Linux) that can run and facilitate whatever signals need to be sent so that when I run git pull inside the Docker container, this agent sends a signal to 1Password on the host asking for authentication.


1Password Version: 80600043 (beta channel)
Extension Version: N/A
OS Version: macOS 12.3β

39 replies

March 25, 2023

Okey got to the bottom of it - It's my Docker container not using the right open-ssh

@Jack_P_1P here is my host file FYI

Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
ForwardAgent yes

Steps I did to fix this:
1. install openssh-server via Dockerfile

FROM python
RUN apt-get update \
&& apt-get install -y --no-install-recommends build-essential openssh-server

2. Open vscode via this method https://developer.1password.com/docs/ssh/agent/compatibility#ssh-auth-sock

$ export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
$ open -a /Applications/Visual\ Studio\ Code.app

May 24, 2023

Seems there's something funky with both 1password and Docker.
I can add the export SSH_AUTH_SOCK to my ~/.zshrc but I still need to open docker with open -a Docker in order to properly be able to forward the ssh keys.

floris_1P
1Password Employee
May 26, 2023

@coolgoose That's because Docker for Mac is managed by launchd and will inherit the launchd environment rather than the zsh environment. So in other words: launchd needs to be aware of the socket, which requires an additional setup step, described here.

May 26, 2023

The problem is that If i specify SSH_AUTH_SOCK to the 1password one, the gcloud auth + docker helper don't work anymore :)

floris_1P
1Password Employee
May 26, 2023

What issue are you then encountering with the glcoud Docker helper?

May 26, 2023

I can't pull any images from the internal registry. My best bet right now to have everything fully working is the following:


Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
ForwardAgent yes
Host *
IgnoreUnknown AddKeysToAgent,UseKeychain
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa

September 22, 2023

The agent integration with Docker works fine for me (using the SSH_AUTH_SOCK volume and env var), but 1Password is not correctly prompting for unlocking.

With ssh -vv I could see the keys were accepted by the server, but SSH timeout while waiting for the agent. That led me to 1Password logs, where I saw entries similar to this:


INFO 2023-09-22T16:41:36.526 tokio-runtime-worker(ThreadId(3)) [1P:ssh/op-ssh-agent/src/lib.rs:538] Notifying user through tray icon that they have a background prompt waiting

But I was seeing no unlock prompts... So I checked (clicked) the 1Password in the top menu bar and there I saw a message about the pending SSH authorization (don't recall exactly the message).

After clicking that, the unlock prompt showed up and I authorized it, everything worked.

Looks like a bug, to me: I shouldn't have to click the menu bar icon for that...

floris_1P
1Password Employee
September 25, 2023

@tavlima Which OS are you on?

October 26, 2023

Hi all, I have followed this discussion entirely but I still am not able to reproduce or make this work.

My host is Windows and the container is Linux. I'm not sure if anyone else here was trying in this set up? I see the majority of people are either from Mac -> Linux or Windows -> Windows... I'm not sure how can I mount the named pipe //./pipe/openssh-ssh-agent to the container in a way that makes sense...