Skip to main content
March 22, 2022
Question

SSH Agent Forwarding

  • March 22, 2022
  • 22 replies
  • 6877 views

I'm really enjoying using 1Password as a ssh-agent with biometric unlock. I'm wondering if it's possible forward the SSH agent though.

Scenario:

I have two macs with 1Password setup with biometric unlock for ssh keys (work machine and personal).
Occasionally, I want to login from my pesonal. machine and git push on my work machine. If I attempt to do this now, I get errors like this:


sign_and_send_pubkey: signing failed for ED25519 "/Users/MyName/.ssh/id_ed25519" from agent: agent refused operation
sign_and_send_pubkey: signing failed for RSA "SSH Key" from agent: agent refused operation
git@github.com: Permission denied (publickey).

I think what's happening is that ssh on my work machine is trying to use the 1password agent with biometric unlock, but the machine is locked (display asleep) so the biometric prompt is immediately dismissed and the auth fails.

I'm wondering if I can forward the SSH agent from my personal machine to the work machine. I would expect ssh -A work to handle this, but it seems to get the same error as above.

Any ideas on how to do this, or do I have to forgo biometric unlock if I want to ssh from the machines remotely.


1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3

22 replies

floris_1P
1Password Employee
February 6, 2023

We're considering to have op-ssh-sign check for SSH_TTY / SSH_CONNECTION and SSH_AUTH_SOCK, and if both are set, use SSH_AUTH_SOCK instead. That should remove the need for these SSH config and rc file snippets.

We'll keep this thread posted if we have any updates on this.

February 24, 2023

I got this working using @malo solution but it doesn't work when trying to use SSH signing with 1Password.

My workaround right now is to manually remove gpg.ssh.program from .gitconfig when connecting to the remote over SSH and then adding it again when using the remote computer in person.

Jack_P_1P
1Password Employee
March 1, 2023

Hi @datwaft:

If you're looking to use 1Password SSH agent commit signing on a device when accessed locally as well as remotely, your best bet is to ensure that $SSH_AUTH_SOCK is set to your forwarded agent socket when SSH'd into that device, and then the 1Password SSH agent socket when you're using it in person.

SSH signing by default uses the agent pointed to by $SSH_AUTH_SOCK. and setting op-ssh-sign as the SSH program overrides that function.

Jack

March 3, 2023

I saw that in the documentation and tried to do something like that but it didn't work for me.
I just tried once again and it seems to work, I probably had the wrong socket set to SSH_AUTH_SOCK.

Quick question, is ~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock always the path to the 1Password agent socket or it can change in the future? I want to see if I should hardcode it in my dotfiles with a condition like test -z $SSH_TTY.

Jack_P_1P
1Password Employee
March 7, 2023

Hi @datwaft:

Great question. While it's possible that the path to the agent may change in the future, there aren't any plans or intent to change it.

Additionally, that path will be the same on every macOS install, and won't vary based on the specific Mac computer it's installed on.

Jack

March 18, 2023

Here's a simple redirect script that I use as my gpg.ssh.program setting in gitconfig. It's based on @floris_1P's comment above and can be used as a placeholder until op-ssh-sign supports this natively:

git-ssh-sign
```

!/bin/bash

if [[ "$SSH_CONNECTION" ]] && [[ "$SSH_AUTH_SOCK" ]]; then
ssh-keygen "$@"
else
/Applications/1Password.app/Contents/MacOS/op-ssh-sign "$@"
fi
```

In gitconfig:


[gpg "ssh"]
program = /path/to/git-ssh-sign

Jack_P_1P
1Password Employee
March 24, 2023

Thanks for sharing @jgoz!

Jack

floris_1P
1Password Employee
May 29, 2023

We're considering to have op-ssh-sign check for SSH_TTY / SSH_CONNECTION and SSH_AUTH_SOCK, and if both are set, use SSH_AUTH_SOCK instead. That should remove the need for these SSH config and rc file snippets.

Just wanted to follow up here that this has now been implemented!

May 29, 2023

good news
starting which version ?

floris_1P
1Password Employee
May 29, 2023

Starting with version 8.10.4.