Skip to main content
rctneil
February 16, 2022
Question

SSH Feature questions

  • February 16, 2022
  • 39 replies
  • 2024 views

Hi,

Just some quick questions about the new SSH feature.

  1. I'm assuming that the SSH keys are synced between your machines etc?

  2. Is it possible to import existing keys from multiple machines into 1Password?

  3. If I had my keys stored in 1Password and I was setting up a brand new machine, i'm assuming all I would need to do is set up 1Password and i'd be good to go right?

  4. If I do use 1Password's SSH features, do the keys still show up in my Mac's .ssh directory?

  5. Once the keys are in 1Password, do I need to remove from from the .ssh directory?

I have had a glance at the dev documentation but would like just a little more info. I've not enabled the feature yet though but really excited to!

Thanks,
Neil


1Password Version: 8.6
Extension Version: Not Provided
OS Version: MacOS 12

39 replies

February 25, 2022

I followed the instruction as well, but cannot get it to work. Imported my key, moved it out of .ssh and added export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock to my shell and I get the following error.

shell
Thu 24 10:39pm in ~
•100% ▶ ssh -T git@gitlab.com
git@gitlab.com: Permission denied (publickey,keyboard-interactive).

February 25, 2022

I followed the instruction as well, but cannot get it to work. Imported my key, moved it out of .ssh and added export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock to my shell and I get the following error.

shell
Thu 24 10:39pm in ~
•100% ▶ ssh -T git@gitlab.com
git@gitlab.com: Permission denied (publickey,keyboard-interactive).

floris_1P
1Password Employee
February 28, 2022

@kevinneufeld And what do you get when you run:

SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l

February 28, 2022

@floris_1P I get:
shell
Mon 28 9:01am in ~
⇣94% ▶ SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l
The agent has no identities.

floris_1P
1Password Employee
February 28, 2022

Is the SSH key you imported in a Private vault or a shared vault?

March 1, 2022

it is in a private vault specifically for work

March 1, 2022

when I move the key back to the personal vault I get the valid output:
shell
Mon 28 8:26pm in ~ took 1m 51s
•100% ▶ SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l
256 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (ED25519)

March 1, 2022

Is there a way to target addtional/other vaults?

rctneil
rctneilAuthor
March 2, 2022

@floris_1P

I'm really sorry but this is not making any sense to me.

In your documentation, you state:

"On Mac and Linux, add the IdentityAgent to your config file or set the SSH_AUTH_SOCK environment variable."

and

"Add the IdentityAgent snippet to your ~/.ssh/config file:

Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

Or set the SSH_AUTH_SOCK environment variable in the shell where your SSH command runs:

export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
"

You explicitly say the word "or" twice. This indicates that the user has to do one OR the other.

If you HAVE to do both then surely the documentation needs to be updated. I run ssh-add -l and it fails to show any keys.

If I am misunderstanding then that's fine, but please ensure your documentation is cleared up and everything clarified to ensure misunderstandings like this don't happen.

Please could you explain again here so I can try to understand.

Enceladus
March 9, 2022

I was having trouble with this too and got it working. I had originally created an ssh key in my "Work" vault (not shared with anyone, but I don't think it counts as private), and was bemused as to why ssh -v was failing and claiming the agent had no identities.

Moving the key to the Personal vault fixed it. I can ssh hostname and 1Password prompts me for permission to connect, easy peasy.

@rctneil IdentityAgent is a way to override the SSH_AUTH_SOCK variable. It lets you instruct SSH to use a different ssh-agent for particular hosts, while SSH_AUTH_SOCK is the default. If 1Password is the only ssh-agent you're running, you can export SSH_AUTH_SOCK=<that long path> as suggested and that should work fine. No need to set IdentityAgent at all.

In my case I'm already running a different agent on SSH_AUTH_SOCK. So I set up my ~/.ssh/config file like this for 1PW:

```config
Host somethingtouse1passwordfor
HostName 123.456.78.910
User username
Port 42
IdentityAgent ~/.1password/agent.sock // symlink to the full socket path

Host *
IdentityFile ~/.ssh/my-normal-id
AddKeysToAgent yes
``
Note that in this case,
ssh-add -lonly shows the keys in my default agent, NOT what's in the 1PW agent. The reason for this is thatssh-addlooks atSSH_AUTH_SOCK` to get the socket through which to communicate with an agent. If I want to see what's saved in the 1PW agent, I need to change the environment variable. I can do this temporarily for my current shell session like so:


SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock

And then ssh-add -l will report the key(s) from 1PW.

The documentation kind of assumes someone already knows how this works, which is probably a mistake given how arcane SSH can be and how minimal the usual instructions are that people get from github, web hosts, etc. If anyone wants to read a genuinely good explanation of what's going on, https://yayimorphology.org/ssh-identities-made-easy.html saved me a lot of headaches.