Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
SSH Agent Forwarding
I'm really enjoying using 1Password as a ssh-agent with biometric unlock. I'm wondering if it's possible forward the SSH agent though.
Scenario:
I have two macs with 1Password setup with biometric unlock for ssh keys (work machine and personal).
Occasionally, I want to login from my pesonal. machine and git push on my work machine. If I attempt to do this now, I get errors like this:
sign_and_send_pubkey: signing failed for ED25519 "/Users/MyName/.ssh/id_ed25519" from agent: agent refused operation
sign_and_send_pubkey: signing failed for RSA "SSH Key" from agent: agent refused operation
git@github.com: Permission denied (publickey).
I think what's happening is that ssh on my work machine is trying to use the 1password agent with biometric unlock, but the machine is locked (display asleep) so the biometric prompt is immediately dismissed and the auth fails.
I'm wondering if I can forward the SSH agent from my personal machine to the work machine. I would expect ssh -A work to handle this, but it seems to get the same error as above.
Any ideas on how to do this, or do I have to forgo biometric unlock if I want to ssh from the machines remotely.
1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3
22 Replies
This is also a problem for me. I have agent forwarding enabled in my
~/.ssh/config. I also have 1Password configured as the IdentityAgent like this:
Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
ForwardAgent yes
When I ssh into my iMac remotely and then attempt to use ssh from there (e.g., via git) the option for IdentityAgent is used (i.e., the locked 1Password as the agent) and NOT the forwarded agent from my local MacBook. I would like the forwarded agent to be used instead of the locked 1Password on my remote iMac.
I suspect this is not a problem specific to 1Password, and instead related to how the OpenSSH options for ForwardAgent and IdentityAgent interact.
Does anyone know of a way to configure the OpenSSH client to prefer the forwarded agent over the configured IdentityAgent?
As a workaround for this I often disable the IdentityAgent option (comment it out in my ~/.ssh/config) when I'm ssh'd in remotely, but this is a pain and not ideal. You could also disable the option via command line but this is also not ideal, and not really possible when ssh is used via git and similar.
I'd be interested in the solution to this w/o biometric unlock for the Linux use case. I have 2 Linux machines, one laptop and one desktop. I'm currently ssh'd into the desktop but I can't then SSH tunnel that machine to another because I can't unlock the desktop. Hopefully that makes sense.
