Skip to main content
February 17, 2022
Question

SSH key stored in non-default value is not available to the ssh agent?

  • February 17, 2022
  • 5 replies
  • 274 views

I'm testing out the new SSH key feature.

If the key is stored in the default "private" vault, ssh MY_HOST works without any issue.
Once I move the key to another vault (not shared), ssh MY_HOST stops working.

If I move it back, it works again.

So it seems that the agent is not able to retrieve keys from the non-default vault?


1Password Version: 8.6.0
Extension Version: Not Provided
OS Version: macOS 12.2

5 replies

February 18, 2022

I just found the below doc that mentioned that only keys in the private vault will work.

https://developer.1password.com/docs/ssh/agent/#eligible-keys

floris_1P
1Password Employee
February 18, 2022

Correct, we're starting out with support for Private vaults only.

February 19, 2022

If you ever add shared vaults, I'd want that to be optional. Among other reasons, I've gone and put backup copies of keys from servers into a shared vault, knowing that they won't actually get used by the ssh agent. I would not want these to be interpreted for this. If nothing else, maybe employ the use of a special tag like no-ssh-agent on items to make the agent ignore them (similar to the existing 2FA and http tags). I kinda like the notion of private vaults only for usable ssh keys, but being able to "properly" store backups of keys, and share keys, via 1Password.

floris_1P
1Password Employee
April 12, 2022

Yes, if we lift the Private/Personal vaults requirement, that will be behind an opt in. If we'd offer such a mechanism, would you prefer the opt in to be per vault or per individual key?

floris_1P
1Password Employee
April 19, 2023

@meowzz I wanted to let you know that we're working on a solution that lets you enable keys from other vaults than the Private vault. It would be great to get your feedback on our proposal, if you're (still) interested. You can do so by joining the #ssh-agent-config channel in our Slack workspace.