Skip to main content
July 14, 2025
Solved

How do I use the SSH agent in headless Linux?

  • July 14, 2025
  • 5 replies
  • 709 views

I want to clone a Git repository that needs SSH authorization. On my desktop this is straightforward: I have the 1Password app installed and the SSH agent enabled in its settings. git clone with an SSH URL makes the desktop app prompt me for approval and I get connected properly.

However I want to clone a repository in a Debian Linux LXC. It does not have any GUI installed; I can only connect to it via a shell. I have the 1Password CLI app op installed and connected properly because op vault list works. However I cannot use the SSH agent:

# ssh-add -l
Could not open a connection to your authentication agent.

My ~/.ssh/config looks like:

Host *
  IdentityAgent ~/.1password/agent.sock

More context about my CLI installation which is installed from the 1Password Debian repository:

# apt info 1password-cli 
Package: 1password-cli
Version: 2.31.1-2
Maintainer: 1Password <support@1password.com>
Installed-Size: unknown
Homepage: https://agilebits.com/
Vendor: 1Password <support@1password.com>
Download-Size: 6729 kB
APT-Manual-Installed: yes
APT-Sources: https://downloads.1password.com/linux/debian/amd64 stable/main amd64 Packages
Description: The official 1Password command-line tool.

# op --version
2.31.1

I don't have a ~/.1password directory so the agent is not set up or not running. How can I get it running without a GUI to approve its use?

Best answer by

Hi @kjdsahtdsjighsdkjgs,

I was working on getting this up and running, but alas you will need the 1Password Client installed with a GUI to be able to manage the SSH-Agent.  I'm sorry it just won't work without it.

Thanks,

Phil

5 replies

July 14, 2025

Hi @kjdsahtdsjighsdkjgs ,

You'll need to also install the 1Password Client (as it acts as the interface to your vault from the CLI). I don't have a headless system to test this on at the moment, but the following should get you headed in the right direction. Let me know if you have further questions. ~ Phil

sudo apt install 1password

Then you'll need to replace the existing "IdentityAgent" with a path of the "~/.ssh/config file to

Host *
  IdentityAgent ~/.config/1Password/ssh/agent.sock

Then you'll need to manually configure 1Password

mkdir -p ~/.config/1Password/

and create the file "~/.config/1Password/settings.json" and insert

{
  "app.developer.sshAgent": true
}

then authorize using 

op signin

and you should be able to view your vaults

op vault list

finally check that the SSH Agent is working by

ssh-add -l

Finally here are some docs which might help the process

July 14, 2025

I figured that might be the case but I'm worried it'll try to install a whole X environment due to the many dependencies it wants:

# apt install 1password
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  adwaita-icon-theme at-spi2-common at-spi2-core dconf-gsettings-backend dconf-service gnupg2
  gsettings-desktop-schemas gtk-update-icon-cache hicolor-icon-theme libatk-bridge2.0-0 libatk1.0-0
  libatspi2.0-0 libauthen-sasl-perl libavahi-client3 libavahi-common-data libavahi-common3
  libayatana-appindicator1 libayatana-appindicator3-1 libayatana-ido3-0.4-0 libayatana-indicator3-7
  libayatana-indicator7 libclone-perl libcolord2 libcups2 libdata-dump-perl libdbusmenu-glib4
  libdbusmenu-gtk3-4 libdbusmenu-gtk4 libdconf1 libegl-mesa0 libegl1 libencode-locale-perl
  libfile-basedir-perl libfile-desktopentry-perl libfile-listing-perl libfile-mimeinfo-perl
  libfont-afm-perl libfontenc1 libgail-common libgail18 libgles2 libgtk-3-0 libgtk-3-bin
  libgtk-3-common libgtk2.0-0 libgtk2.0-bin libgtk2.0-common libhtml-form-perl libhtml-format-perl
  libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl
  libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libice6 libio-html-perl
  libio-socket-ssl-perl libio-stringy-perl libipc-system-simple-perl liblwp-mediatypes-perl
  liblwp-protocol-https-perl libmailtools-perl libnet-dbus-perl libnet-http-perl libnet-smtp-ssl-perl
  libnet-ssleay-perl libnotify4 libnspr4 libnss3 libregexp-ipv6-perl libsm6 libtie-ixhash-perl
  libtimedate-perl libtry-tiny-perl liburi-perl libwww-perl libwww-robotrules-perl
  libx11-protocol-perl libxaw7 libxcomposite1 libxdamage1 libxft2 libxinerama1 libxkbfile1
  libxml-parser-perl libxml-twig-perl libxml-xpathengine-perl libxmu6 libxmuu1 libxt6 libxtst6
  libxxf86dga1 perl-openssl-defaults x11-utils x11-xserver-utils xdg-utils zutty
Suggested packages:
  libdigest-hmac-perl libgssapi-perl colord cups-common gvfs libcrypt-ssleay-perl notification-daemon
  libsub-name-perl libbusiness-isbn-perl libauthen-ntlm-perl libunicode-map8-perl
  libunicode-string-perl xml-twig-tools debhelper mesa-utils nickle cairo-5c xorg-docs-core
Answer
July 16, 2025

Hi @kjdsahtdsjighsdkjgs,

I was working on getting this up and running, but alas you will need the 1Password Client installed with a GUI to be able to manage the SSH-Agent.  I'm sorry it just won't work without it.

Thanks,

Phil

September 23, 2025

Is there no plans to make this work? This render any remote host dev work simply pointless and it is incredibly irritating that the terminal would not prompt for the user to input the credentials.

Maybe a hook can notify on the phone of the user to request for approval or something like that? Anything at all rather than the client waiting forever would be good.

The only alternative so far is to use a second SSH key to do everything while in CLI.

March 30, 2026

A bit late to the party, but this would have been really nice. 

E.g., headless 1password-cli ssh-agent functionality, specifically via a service account.

March 30, 2026

I have a slightly different twist to this ask. I use NixOs which only offers a very dated (8.11.x) gui client, and if I download the latest as a flatpak, it doesn't support SSH key management.

So what I'd like to do, with a shared ~/home environment (also running Debian which has the 8.12 client), is to use a second Github key not managed by 1P, but it seems a bit tricky; the kde wallet system wants to hold on to the 1P keys as well as a second key generated outside of 1P.

I am constantly running into Permission (publickey) errors with the agent not running, or trying to connect to ~/.1Password/<sock> and failing. Main dev client is VScodium. I get a popup each time a change is made 

I'm sure this is my lack of comprehension of gpg and agent communication, or not knowing how to configure 1P not to feel it is the only ssh game in town?

Any help much appreciated!