[Feature Request] Using 1P SSH from inside a local Docker container

My team and I regularly use Docker for lightweight local environments that are pre-configured with things we need to develop that project. (It helps avoid things like "works on my machine".) If I need to work on a Terraform module, I can launch the Docker environment that has all the tools I need pre-installed and ready-to-go, and I can make my changes, run tests, and perform all sorts of general software development tasks. When I'm done, I press Ctrl+D.

We can easily read specific environment variables from the host environment and pass them into the Docker environment (e.g., AWS credentials, Terraform variables), and for Git, we can mount the local SSH directory into the container in read-only mode so that we can fetch and push (-v ~/.ssh:/root/.ssh:ro) to GitHub Enterprise.

Herein lies the problem with migrating the SSH keys into 1Password and not having them on-disk. There's nothing to mount, and 1Password only runs on the host. The low-fi solution is to keep my SSH keys on-disk for Docker, while copying them into 1P for use with that SSH agent, but then what's the point to using 1Password SSH?

A higher-fi solution (since this is desktop-use Docker; not for deployment) would be the ability to mount a unix socket from the host into the Docker container, and have some kind of tiny agent built for Linux (namely Alpine Linux) that can run and facilitate whatever signals need to be sent so that when I run git pull inside the Docker container, this agent sends a signal to 1Password on the host asking for authentication.

1Password Version: 80600043 (beta channel)
Extension Version: N/A
OS Version: macOS 12.3β

SSH

39 Replies

Former Member
2 years ago
Hi all, I have followed this discussion entirely but I still am not able to reproduce or make this work.

My host is Windows and the container is Linux. I'm not sure if anyone else here was trying in this set up? I see the majority of people are either from Mac -> Linux or Windows -> Windows... I'm not sure how can I mount the named pipe //./pipe/openssh-ssh-agent to the container in a way that makes sense...
floris_1P
1Password Team
2 years ago
@tavlima Which OS are you on?
Former Member
2 years ago
The agent integration with Docker works fine for me (using the SSH_AUTH_SOCK volume and env var), but 1Password is not correctly prompting for unlocking.

With ssh -vv I could see the keys were accepted by the server, but SSH timeout while waiting for the agent. That led me to 1Password logs, where I saw entries similar to this:

INFO 2023-09-22T16:41:36.526 tokio-runtime-worker(ThreadId(3)) [1P:ssh/op-ssh-agent/src/lib.rs:538] Notifying user through tray icon that they have a background prompt waiting

But I was seeing no unlock prompts... So I checked (clicked) the 1Password in the top menu bar and there I saw a message about the pending SSH authorization (don't recall exactly the message).

After clicking that, the unlock prompt showed up and I authorized it, everything worked.

Looks like a bug, to me: I shouldn't have to click the menu bar icon for that...
Former Member
2 years ago
I can't pull any images from the internal registry. My best bet right now to have everything fully working is the following:

Host * IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ForwardAgent yes Host * IgnoreUnknown AddKeysToAgent,UseKeychain AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_rsa
floris_1P
1Password Team
2 years ago
What issue are you then encountering with the glcoud Docker helper?
Former Member
2 years ago
The problem is that If i specify SSH_AUTH_SOCK to the 1password one, the gcloud auth + docker helper don't work anymore :)
floris_1P
1Password Team
2 years ago
@coolgoose That's because Docker for Mac is managed by launchd and will inherit the launchd environment rather than the zsh environment. So in other words: launchd needs to be aware of the socket, which requires an additional setup step, described here.
Former Member
2 years ago
Seems there's something funky with both 1password and Docker.
I can add the export SSH_AUTH_SOCK to my ~/.zshrc but I still need to open docker with open -a Docker in order to properly be able to forward the ssh keys.
Former Member
3 years ago
Okey got to the bottom of it - It's my Docker container not using the right open-ssh

Jack_P_1P here is my host file FYI
Host * IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ForwardAgent yes

Steps I did to fix this:
1. install openssh-server via Dockerfile
FROM python RUN apt-get update \ && apt-get install -y --no-install-recommends build-essential openssh-server
2. Open vscode via this method https://developer.1password.com/docs/ssh/agent/compatibility#ssh-auth-sock
$ export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock $ open -a /Applications/Visual\ Studio\ Code.app
Jack_P_1P
1Password Team
3 years ago
Hi @girish:

I notice this looks like Visual Studio Code's remote development extension. Is that correct? Would you mind sharing the contents of ~/.ssh/config from macOS, rather than your Docker container? I'll be able to dig in more once I've seen your SSH config.

Jack

Forum Discussion

[Feature Request] Using 1P SSH from inside a local Docker container

39 Replies

Recent Discussions

Improvements to 1Password Community coming May 22nd

op service-account - Plans for expansion of functionality like save item to vault and rotate?

1Password SSH keys with WSL

Documentation For 1Password on Context7

1Password-CLI not working