Skip to main content
March 27, 2026
Question

SSH Agent forwarded to Docker container only attempts to use the first SSH key

  • March 27, 2026
  • 1 reply
  • 37 views

I have the SSH agent forwarded into a Docker container with the following config:

volumes:
    - '~/.ssh:/.ssh:ro'
    - '~/.ssh/known_hosts:/.ssh/known_hosts:rw'
    - '${SSH_AUTH_SOCK_HOST:-/run/host-services/ssh-auth.sock}:/ssh-auth.sock:ro'
environment:
    SSH_AUTH_SOCK: /ssh-auth.sock

And the IdentityFile symlinked in an entrypoint script:

mkdir -p "$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t"
ln -sf "$SSH_AUTH_SOCK" "$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

This is working and if I run "ssh-add -l" inside the container, I can see all the available keys.

However, whenever the container requires SSH, the 1Password prompt is always for the same key (the first key listed by "ssh-add -l") and not the actual required key.

1 reply

Michael_Mercuri
March 27, 2026

I believe with the default configuration, 1Password SSH Agent prompts for a key when the key is requested (like any other SSH Agent). If you want a specific key, you'll need to specify the key, either in the ~/.ssh/config file or via the command line ("ssh -i identity_file").

What I find works best with 1Password SSH Agent, is to store the PUBLIC keys as identify files (e.g. "~/.ssh/config/id_ed25519.pub") and then in ~/.ssh/config set the identity file to the public key via "IdentityFile ~/.ssh/id_ed25519.pub". 

This has two advantages:

  1. no need to store the private key on disk 
  2. easy to configure specific key to use

If you really want to configure 1Password SSH Agent to only allow access to specific keys, it's possible to configure it via 1Password https://developer.1password.com/docs/ssh/agent/config.  

However, I find it best to stick with basic SSH config for broader compatibility.