It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Solved
1Password ssh agent & ssh key on disk
Hi,
I have enabled 1Password ssh agent, and checked that 1Password touch id prompt is showing up & working when I connected to a different machine via ssh.
*Tangent:
Why is pasting in this textarea so annoying? Was trying to change multiple "1P" into "1Password" by selecting it, then pasting into it; but I have to paste it, undo, then paste it again; when I pasted something without selecting anything, a newline was inserted before and after the thing I pasted
I also see that 1Password Watchtower listed these two warnings: "Unencrypted" & "Already in 1Password" for every ssh key I have in `~/.ssh/keys`.
Wanting to please the Watchtower, I then moved away all the keys in `~/.ssh/keys`, but somehow ssh now asked for password?
I then replicate the keys but with no content, ssh still asks for password.
When I moved back all the keys, only then 1Password TouchId prompt work again.
Am I doing something wrong? I'm expecting that I don't actually need the ssh keys physically on disk when I used 1Password's ssh agent.
I checked `~/.ssh/config` file, and it did have the neccessary `IdentityAgent` config.
I guess I just don't quite understand how 1Password's ssh agent is supposed to work.
The information on 1Password's ssh agent in the documentation is rather minimum.
Any help and / or clarification would be appreciated.
Thanks.
Hey stoutZero, you can in fact use `IdentitiesOnly yes` + `IdentityFile` with the 1Password SSH agent, but then point `IdentityFile` to the public key instead of the private key. The private key can be stored in 1Password with only the .pub file on disk.
5 Replies
floris_1P1Password Team
Hey stoutZero, you can in fact use `IdentitiesOnly yes` + `IdentityFile` with the 1Password SSH agent, but then point `IdentityFile` to the public key instead of the private key. The private key can be stored in 1Password with only the .pub file on disk.
Yep! That works!
Right now there are no ssh private keys on disk, which is exactly what I wanted.
Thanks.
After mailing the 1Password's support, Juraj Stolc (CX Technical Representative) told me that the `IdentitiesOnly yes` in my local ssh config is preventing me from deleting my local ssh keys.
I then have to remove the `IdentityFile` key for each hosts.
But the point of having `IdentityFile` for each hosts is so that:
- No single ssh key leak will expose all of my remote machines to attackers
- Enables SSH agent to just offer a single ssh key to a single remote machine
I tried removing `IdentitiesOnly` & `IdentityFile` for a single VPS in a different country.
The result? `fail2ban` in that VPS blocked my ip because 1Password tried to offer all 70+ of my SSH keys.
I have had to remove the blacklist via a web based console, which is not a pleasant experience.
Disclaimer:
This is not me disparaging the use of 1Password's ssh agent, if it works for you go for it :)
For me, I have had to keep 60+ ssh keys for my client's machines, including bare metal ones, because they don't have a password manager (and because they're not a devops person). And another 10 ssh keys for my own machines.
I don't actually have 70 machines that I manage on a daily basis. The fact that 1Password's ssh agent cannot perfectly replicate this configuration in my local ssh config:
# connect using: `ssh file1` in your terminal Host file1 User user1 HostName 10.90.1.1 Port 22 IdentityFile ~/.ssh/keys/user1@file1 # connect using: `ssh file12` in your terminal Host file12 User user2 HostName 10.90.1.1 Port 22 IdentityFile ~/.ssh/keys/user2@file1is a deal breaker for me.
Anyway, thank you 1P_Phil & Juraj Stolc for your replies
Cya.
- 1P_Phil
Moderator
Hi stoutZero ,
Thanks for writing in. The authentication pattern should be independent of the SSH Key situation. Would you be able to send us a note at mailto:support@1password.com ?
Thanks,
PhilDone
