Forum Discussion

rbroemeling's avatar
rbroemeling
New Contributor
2 months ago

"Connection Refused" when accessing 1Password ssh-agent within DevContainer

I've been trying to get this to work for a few hours and I'm at a loss for what to do next, so asking for ideas about what the problem could be.

My software stack is macOS 26/Tahoe, 1Password 8.11.16, Orbstack (for containers), and VSCode w/DevContainers. I have my SSH keys in 1Password and when executed from the host system, the keys are visible (and SSH works):

% SSH_AUTH_SOCK="${HOME}/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ssh-add -l
256 SHA256:... (ED25519)
% ssh -T git@github.com
Hi <username>! You've successfully authenticated, but GitHub does not provide shell access.

I have the DevContainer configuration to bind-mount the socket into the container and set a proper `SSH_AUTH_SOCK` value:

"mounts": [

"source=${env:HOME}/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock,target=/tmp/ssh-agent-1password.sock,type=bind"

],

"remoteEnv": {

"SSH_AUTH_SOCK": "/tmp/ssh-agent-1password.sock"

},

... when I am in the container, the socket looks right, `SSH_AUTH_SOCK` is correct, but `ssh-add` fails to connect with an error:

root@5a53d7e1c685:/tmp# ls -la ssh-agent-1password.sock 
srw------- 1 root root 0 Nov  2 16:36 ssh-agent-1password.sock
root@5a53d7e1c685:/tmp# echo $SSH_AUTH_SOCK
/tmp/ssh-agent-1password.sock
root@5a53d7e1c685:/tmp# ssh-add -l
Error connecting to agent: Connection refused

I've verified that the directory itself IS accessible to docker by changing `source=${env:HOME}/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock` to be `source=${env:HOME}/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sockk` and restarting the container -- when I do that, the directory `agent.sockk` is created within the directory as expected (which I am interpreting as evidence that Docker can traverse all the way to the directory and create a sub-folder within it).

I suspect what is happening is that 1Password is blocking the connection entirely (meaning it isn't a filesystem permissions error or otherwise), but I'm not sure how to prove that is the case or how to fix it if it IS the case.

Any ideas for diagnostic steps to take next?

cli
linux
macos
troubleshooting

3 Replies

  • mewesc's avatar
    mewesc
    New Contributor
    2 months ago

    Hi, 

    i also struggle with this...

    My software stack is macOS 26, 1Password 8.11.16, with Orbstack (as replacement of Docker Desktop) , and VSCode with a DevContainers.
    I have all my SSH keys in 1Password and when executed from the host system, the keys are visible (and SSH works).

    I have setup my DevContainer.json with the following mounts

    "mounts": [
		"source=${localEnv:HOME}/.ssh,target=/root/.ssh,type=bind,readonly",
		"source=${localEnv:HOME}/.ssh/known_hosts,target=/root/.ssh/known_hosts,type=bind",
		"source=/run/host-services/ssh-auth.sock,target=/ssh-agent,type=bind"		
	],
		"remoteEnv": {
		"SSH_AUTH_SOCK": "/ssh-agent"
	}

    If try to do a SSH connection from the devContainer, it does not work.

    # echo $SSH_AUTH_SOCK
# /ssh-agent

# ssh-add -l
# Output is a list of my SSH keys

    When i execute ssh -vT user@host

    I get this output 

    debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: get_agent_identities: ssh_get_authentication_socket: No such file or directory

    And now, i am stuck...

    Not exactly your issue - but as you have the similar stack...

    Update:

    When i add this in my Container, it solves my issue:

    mkdir -p "$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t"
ln -sf "$SSH_AUTH_SOCK" "$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"


    Now i can connect from the container via SSH to any host, and the SSH Key will be derived form 1Password

    KR

    • 1P_Phil's avatar
      1P_Phil
      Icon for Moderator rankModerator
      2 months ago

      Hi mewesc​ ,

      Many thanks for sharing this solution!! 

      rbroemeling​ - please let us know if this works for your setup as well.

      Thank you!
      Phil & 1Password team!

      • rbroemeling's avatar
        rbroemeling
        New Contributor
        2 months ago

        1P_Phil​ Ah, no. No it does not fix the issue that I am having.

        From the description of KR's post, I would guess from the context that their `.ssh/config` file contained something like the 1P recommended configuration, such as:

        Host *
          IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
         
        KR then mounted their `${HOME}/.ssh` directory into their container, and therefore needed their SSH authentication socket to show up in the "right" place (which they solved with a symlink) within the container.
         
        This is a very different problem than the one I described in my post.