[Feature Request] Using 1P SSH from inside a local Docker container

@SeanSith Could you try if this works:

export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
docker run -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" alpine sh -c 'apk add openssh && ssh-add -l'


floris_1P That socket is/was macOS's default ssh-agent socket. Is 1Password hooking into that/overwriting it somehow to make this work? I'd tried to mount the socket from the original SSH documentation into the container but was probably blocked by sandboxing. I'm curious because that reduces the amount of setup my users will have to go through and potentially unlocks some other usage for us.

@SeanSith Ryan_Parman
On macOS, you should be able to 'forward' your SSH_AUTH_SOCK to your Docker container by adding these magic flags to your docker run command:
-v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock"
More info here and here.

One thing to keep in mind here though is that you will be authorizing Docker Desktop entirely. So every new Docker container launched from any terminal tab will automatically be authorized to use that key.

Using Linux and Docker, it's pretty easy to forward agent to docker... but...

Here the command:


docker-compose run -it -v $(readlink -f $SSH_AUTH_SOCK):/ssh-agent -e SSH_AUTH_SOCK=/ssh-agent php bash


running ssh -vvv user@host

getting logs:

debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:DOtczsfW9/BfTeVkOL4jqTmT7z4BOkocRdFs3LjG4ng
sign_and_send_pubkey: signing failed for RSA "SSH Key | RSA 4096" from agent: agent refused operation


1P logs:

==> 1Password_r00018.log <==
INFO 2022-06-22T15:53:18.791 tokio-runtime-worker(ThreadId(16)) [1P:foundation/op-sys-info/src/process_information/linux.rs:367] no GUI info available to determine top level parent
ERROR 2022-06-22T15:53:18.791 tokio-runtime-worker(ThreadId(16)) [1P:ssh/op-session-info/src/linux.rs:10] process tree is empty
WARN 2022-06-22T15:53:18.791 tokio-runtime-worker(ThreadId(16)) [1P:ssh/op-ssh-agent/src/lib.rs:356] Unable to get client_info for pid: 826034


so the problem is that 1P is trying to open Password Prompt and fails.

We had been using a setup similar to what is described here.

Effectively we've been doing the following:

docker-compose.yml:
```
version: '3'

services:
app:
image: (most images should work, but I last tested with 'ruby:3.1')
environment:
SSH_AUTH_SOCK: /ssh-agent
volumes:
- $SSH_AUTH_SOCK:/ssh-agent
```

then executing docker compose run --rm app /bin/bash and performing SSH activities from there.

Unfortunately, with the 1Password agent, we receive the following error message:

Error response from daemon: error while creating mount source path '/host_mnt/Users/seansith/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock': mkdir /host_mnt/Users/seansith/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock: operation not supported


This works just fine with the macOS default SSH agent.

Setup:
- macOS 12.3
- Docker Desktop for Mac 4.6.1
- 1Password 8 (80700028, on BETA channel)

I tried a 1Password 8 beta update (to "8700028, on Beta channel") and my preferred setup now works (it didn't before)!

Nope, I was mistaken. I was testing in the wrong window.

We're using a setup similar to what is described here.

Effectively we've been doing the following:

docker-compose.yml:
```
version: '3'

services:
app:
image: (most images should work, but I last tested with 'ruby:3.1')
environment:
SSH_AUTH_SOCK: /ssh-agent
volumes:
- $SSH_AUTH_SOCK:/ssh-agent
```

then executing docker compose run --rm app /bin/bash and performing SSH activities from there.

At this point, using the 1Password 8 SSH-Agent, I receive the following error:


Error response from daemon: error while creating mount source path '/host_mnt/Users/seansith/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock': mkdir /host_mnt/Users/seansith/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock: operation not supported


But when I use the macOS default ssh-agent at /run/host-services/ssh-auth.sock, it works fine.

Without looking into your links (yet), it's important to note that the first hop (from host to local container) isn't over SSH. I'm using docker run, not ssh.

SSH only comes into play during the second hop from the container → GitHub.

I'm trying to figure out how to leverage 1P8 for the first hop.

I was curious so I just tested ForwardAgent with 1Password's agent: it works! 🎉

• Local machine is a Mac with 1Password+agent.
• I ssh'd into HostA which has my public key in authorized_keys
• From within that ssh session, I ssh'd into HostB which also has my public key in authorized_keys. HostA does NOT have 1Password (it's a headless Linux lxc container)

~/.ssh/config entry is simple:

host <myhost>
ForwardAgent yes


Note that ForwardAgent has some serious security considerations everyone should heed: https://vincent.bernat.ch/en/blog/2020-safer-ssh-agent-forwarding. In your case, you're treating your Docker container as a trusted local development machine and were ready to mount your private keys into it, so using ForwardAgent would obviously be even more secure and just fine for your situation.

1Password experts: is there an opportunity for 1Password's agent to make ForwardAgent more secure by prompting on every use of the key, even through a server we've forwarded the key to? AddKeysToAgent confirm doesn't seem to accomplish this.

Are you SSHing into the Docker container from your local machine with 1Password? If so, can you use SSH agent forwarding? The 1P SSH docs don't mention it isn't supported but I haven't tested it myself.