Skip to main content
rctneil
February 16, 2022
Question

SSH Feature questions

  • February 16, 2022
  • 39 replies
  • 2024 views

Hi,

Just some quick questions about the new SSH feature.

  1. I'm assuming that the SSH keys are synced between your machines etc?

  2. Is it possible to import existing keys from multiple machines into 1Password?

  3. If I had my keys stored in 1Password and I was setting up a brand new machine, i'm assuming all I would need to do is set up 1Password and i'd be good to go right?

  4. If I do use 1Password's SSH features, do the keys still show up in my Mac's .ssh directory?

  5. Once the keys are in 1Password, do I need to remove from from the .ssh directory?

I have had a glance at the dev documentation but would like just a little more info. I've not enabled the feature yet though but really excited to!

Thanks,
Neil


1Password Version: 8.6
Extension Version: Not Provided
OS Version: MacOS 12

39 replies

rctneil
rctneilAuthor
March 9, 2022

@Enceladus Many many thanks for your explanation.

When I get back on my personal machine I will reread your post and try it all out!

Thanks!

March 15, 2022

I just wasted a lot of time trying to figure out why SSH wasn't working for me. Same issue as @kevinneufeld: only "Personal" (or default) vault works. The other private vaults DO NOT. Is this a bug or a poorly documented feature?

floris_1P
1Password Employee
March 15, 2022

@rctneil Yes, you're right that the or part is a bit confusing, because not every SSH client supports IdentityAgent. So we just released a brand new page to list which SSH clients support which configuration options: https://developer.1password.com/docs/ssh/agent/compatibility

It says there that ssh-add does not support IdentityAgent, for example.

We're also linking to this page from the get started guide.

floris_1P
1Password Employee
March 15, 2022

@nikolamilekic That's not a bug. We've listed the SSH key requirements for the SSH agent here: https://developer.1password.com/docs/ssh/agent#eligible-keys

Anything you feel that's missing there to prevent others running into the same issue?

March 15, 2022

@floris_1P I read those requirements and I understood the private vault one to mean any vault that is not shared. As I'm not the only one to come to that (wrong) conclusion I feel you need to explain it better. Instead of saying private vault how about saying "the account's default vault" (if that is indeed the case)?

Why is this requirement there to begin with? It's not intuitive (or we wouldn't be here), and it forces users to change their workflows to suit the software...

March 17, 2022

I've transferred some of my SSH keys I use frequently to 1P to do some testing, and I'm really enjoying the experience so far! However, what I don't like is that keys are locked quite fast after use. For example, Intellij frequently fetches in the background, and every time this happens I have to grant access to the key again.

It would be great if 1P would remember my choice as long as my vault is unlocked. Or even better, just remember which apps have access to a key, and don't ask me anything as long as my vault is unlocked.

What are the plans regarding this?

March 29, 2022

Like @skrtks mentioned JetBrains IDE's constantly fetches git data, which causes 1password ask for allowance, which if u have for e.g. 5-6 IDE opened quite annoying, I would love if there would be option like with macOS keychain Always Allow or something similar

March 30, 2022

Like @skrtks mentioned, I use nvim inside of tmux and have plenty of different git integrations that are always checking the status of remote git repos. I get 1-2 ssh key requests each time I open a new shell / vim session. Or opening a transmit session over sftp (which by default opens multiple remote server connections) often ends up with 4-8 requests to unlock.

I realized that my git integrations are not the most optimized. But, an "always allow for process" would be a very nice addition.

In fact, using 1P to unlock my primary ssh identity is essentially useless for me right now as I'm constantly interrupted by authentication requests. For now, I went back to using local key files.... :(

floris_1P
1Password Employee
May 12, 2022

@skrtks @aurimasniekis @negnetsolutions We've recently made some improvements in this area, especially around those consecutive prompts piling up. Could you see if it got any better now?

@nikolamilekic I agree and we're aware of this. It's a requirement we're looking to remove soon. The reason why it's there is because we need to build an opt-in mechanism to use those keys.

May 12, 2022

@floris_1P How about a special tag? Similar to how '2FA' is used to suppress 2FA warnings, or 'Apple Watch' to indicate items available on WatchOS?