Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
Former Member
3 years agoForwardAgent?
I noticed that when I log in my server with a key that is in 1Password and I try to log in from there to other servers, that I need to provide my password. Apparently ForwardAgent does not work, or do I have to do something special?
1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3
- Jack_P_1P
1Password Team
Hi @proza:
Thanks for sharing. We're continuing to investigate how we can make this smoother when connecting to a host that also has 1Password SSH Agent enabled, so thanks for your feedback!
Jack
- floris_1P
1Password Team
Agent forwarding should just keep on working after moving your keys to 1Password, without needing additional config. Did it work before? Did anything change?
- Former Member
I am running into the same issue. I've got ForwardAgent set for my hosts, but nothing is being passed to the first remote server to allow me to SSH into the 2nd.
- Former Member
Yes, it worked before when I added the ssh-key with ssh-add to my identities but that is not necessary if I understood the 1Password-ssh-support correctly (if not - how do I add it with ssh-add).
- floris_1P
1Password Team
Could you guys share your
ssh -v
output of the second command? (That should use the forwarded agent)
And also share the relevant SSH config. - Former Member
Could it be that since the Certificate is not in the IdentityAgent, forwarding does not work?
OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 1: Applying options for *
debug1: Connecting to targethost-nfs [172.16.254.156] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9 FreeBSD-20200214
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9 FreeBSD-20200214
debug1: match: OpenSSH_7.9 FreeBSD-20200214 pat OpenSSH* compat 0x04000000
debug1: Authenticating to targethost-nfs:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:9DZQE+gXw6BolwutR3GPutxfqKzlRSvjimNf9DOrXHw
DNS lookup error: general failure
debug1: Host 'targethost-nfs' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: id_rsa_sam RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU agent
debug1: Will attempt key: /home/user/.ssh/id_rsa
debug1: Will attempt key: /home/user/.ssh/id_dsa
debug1: Will attempt key: /home/user/.ssh/id_ecdsa
debug1: Will attempt key: /home/user/.ssh/id_ed25519
debug1: Will attempt key: /home/user/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: Fssh_kex_input_ext_info: server-sig-algs=
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: id_rsa_sam RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU agent
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/user/.ssh/id_rsa
debug1: Trying private key: /home/user/.ssh/id_dsa
debug1: Trying private key: /home/user/.ssh/id_ecdsa
debug1: Trying private key: /home/user/.ssh/id_ed25519
debug1: Trying private key: /home/user/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive - Former Member
I forgot the .ssh/config-part:
```
ControlPath ~/.ssh/connections/mux_%CControlPersist 4h
TCPKeepAlive no
ServerAliveInterval 60
ServerAliveCountMax 10
ForwardAgent yes
AddKeysToAgent yes
Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
CertificateFile "~/.ssh/id_rsa_sam-cert.pub"Host host1
HostName host1.fqdn.com
User user
Host destinationhost
HostName destinationhost.fqdn.com
User user
```The destination-host-part should be irrelevant though because it depends then on the second host.
- floris_1P
1Password Team
Could it be that since the Certificate is not in the IdentityAgent, forwarding does not work?
Yes, that could very well be the culprit. What happens if you SSH from the forwarded host into a host that does not require certificates, e.g.
ssh -T git@github.com
? - Former Member
It works when I try to move to a host that doesn't require a certificate -- the unlock-pop up comes from 1password, and I can log in.
- Former Member
Any news here? I switched off the feature again because of the algorithm- and the ForwardAgent-problems