Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
MacOS - how to verify/debug 1Password agent is the one being used?
I've followed the docs. Public key is at GitHub. 1Password entry is correct.
But when I ssh -Tvvv git@github.com I'm still getting "publickey denied".
Is there something I should see in the...
Load key "/Users/$USERNAME/.ssh/id_ed25519": invalid format
When you saved that file, did you copy and paste from the Private Key field in 1Password, or did you click the menu and choose download? If you did the former, that would explain it. Clicking on the field to copy to clipboard puts the raw key value into the clipboard. You can tell by looking at the first line of the file:
This is what you get when you copy and paste from the private key field directly:
-----BEGIN PRIVATE KEY-----
This raw format isn't particularly useful for anything I'm aware of. I'm not sure why 1Password gives it to you.
This is what you get when you choose the download option, and is what you need to use for ssh to understand it:
-----BEGIN OPENSSH PRIVATE KEY-----
For your main issue, how did you configure SSH to use 1Password's ssh-agent? Did you set the SSH_AUTH_SOCK environment variable, or did you use the IdentityAgent directive in ~/.ssh/config?
If you did set the SSH_AUTH_SOCK variable, then just run:
$ ssh-add -l
Otherwise, run:
$ SSH_AUTH_SOCK="$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ssh-add -l
Edit: The above assumes you're running macOS. If you're running Linux, check 1Password's documentation for the equivalent command on that system.
This should list the fingerprints for all all available keys stored in 1Password.
In the verbose logs for ssh, you should see some lines like debug1: Will attempt key: ... telling you which keys are being offered. Ensure that one of these corresponds with the public key you have added to github.
Further down, you will see something like the following. There may be some slight differences if you're using RSA instead of Ed25519.
debug1: Offering public key: name_of_your_key ED25519 SHA256:xxxfingerprintxxx... explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: name_of_your_key ED25519 SHA256:xxxfingerprintxxx explicit agent
debug3: sign_and_send_pubkey: ED25519 SHA256:xxxfingerprintxxx
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:xxxfingerprintxxx
If you have multiple keys, you might see it offering keys that are then rejected. If all of your keys are rejected, make sure at least one of them corresponds with what you set up in GitHub.
If you have too many keys, and none of the keys being offered are what you set up with GitHub, then put your public key file in ~/.ssh/id_ed25519.pub use the IdentifyFile directive in ~/.ssh/config to specify that directly.
Host github.com
User git
IdentityFile ~/.ssh/id_ed25519.pub
