Forum Discussion

olilaban's avatar
olilaban
New Member
13 hours ago

SSH Agent forwarded to Docker container only attempts to use the first SSH key

I have the SSH agent forwarded into a Docker container with the following config:

volumes:
    - '~/.ssh:/.ssh:ro'
    - '~/.ssh/known_hosts:/.ssh/known_hosts:rw'
    - '${SSH_AUTH_SOCK_HOST:-/run/host-services/ssh-auth.sock}:/ssh-auth.sock:ro'
environment:
    SSH_AUTH_SOCK: /ssh-auth.sock

And the IdentityFile symlinked in an entrypoint script:

mkdir -p "$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t"
ln -sf "$SSH_AUTH_SOCK" "$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

This is working and if I run "ssh-add -l" inside the container, I can see all the available keys.

However, whenever the container requires SSH, the 1Password prompt is always for the same key (the first key listed by "ssh-add -l") and not the actual required key.

macos

1 Reply

  • Michael_Mercuri's avatar
    Michael_Mercuri
    Dedicated Contributor
    2 hours ago

    I believe with the default configuration, 1Password SSH Agent prompts for a key when the key is requested (like any other SSH Agent). If you want a specific key, you'll need to specify the key, either in the ~/.ssh/config file or via the command line ("ssh -i identity_file").

    What I find works best with 1Password SSH Agent, is to store the PUBLIC keys as identify files (e.g. "~/.ssh/config/id_ed25519.pub") and then in ~/.ssh/config set the identity file to the public key via "IdentityFile ~/.ssh/id_ed25519.pub". 

    This has two advantages:

    1. no need to store the private key on disk 
    2. easy to configure specific key to use

    If you really want to configure 1Password SSH Agent to only allow access to specific keys, it's possible to configure it via 1Password https://developer.1password.com/docs/ssh/agent/config.  

    However, I find it best to stick with basic SSH config for broader compatibility.