SSH Agent Offers Local Key

Question

Hello! I’m trying to get started using 1Password SSH agent. It looks like I’ve https://developer.1password.com/docs/ssh/get-started#step-3-turn-on-the-1password-ssh-agent, but I can’t get the agent to actually offer my key when connecting to a server.

Running ssh-add -l shows the key that I added to my Personal vault. (I know that’s coming from 1Password because it has the label name that only exists there, and if I quit 1Password, I just get "Error connecting to agent.")

But then, running ssh -T git@github.com gives me "Permission denied (publickey)." Adding -v shows me that the key in 1Password is never offered. It starts looking for local key files (id_rsa, etc.) and then fails when none are found.

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/kaelri/.ssh/id_rsa
debug1: Trying private key: /Users/kaelri/.ssh/id_dsa
debug1: Trying private key: /Users/kaelri/.ssh/id_ecdsa
debug1: Trying private key: /Users/kaelri/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/kaelri/.ssh/id_ed25519
debug1: Trying private key: /Users/kaelri/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/kaelri/.ssh/id_xmss
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

One other weird symptom: if I re-save my original key file at ~/.ssh/id_rsa, it works. I get the biometric authentication prompt ("'1Password' is trying to allow '[app]' to use the key '[key]'"), and then it connects. If I save a different key as "id_rsa", it simply fails; I don’t even get the authentication prompt. So it seems like the 1Pass agent is able to detect when "id_rsa" matches a key in my vault, and then makes me authenticate before I can use it. Which is great. But that doesn’t seem like the expected behavior here. Isn’t the point of having my key in 1Pass that I don’t need to have it exposed in a file as well? (Please correct me if I’m wrong!)

Additional info:
- My ssh -V shows "OpenSSH_8.6p1, LibreSSL 3.3.6."
- My .zshrc includes export SSH_AUTH_SOCK=~/.1password/agent.sock. Running ls -l $SSH_AUTH_SOCK shows that the file is correctly symlinked to ~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock.
- My ~/.ssh/config file is pretty sparse (see below).

Host *
    IdentitiesOnly yes
    IdentityAgent "~/.1password/agent.sock"

Happy to provide any other info that may help!

1Password Version: 8.8.0
Extension Version: Not Provided
OS Version: macOS Monterey 12.5
Browser:_ Not Provided

Answer

So, naturally, I found the solution 5 minutes after posting this thread. I was mistaken when I enabled IdentitiesOnly for all hosts. That was preventing ssh from using the non-file keys offered by the agent (which is of course exactly what it’s supposed to do). Removed that line from ~/.ssh/config and now it works like a charm.

I’ll leave this up for any unfortunate souls who made the same mistake. :)

Forum Discussion

SSH Agent Offers Local Key

1 Reply

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

1PW extension bug: autofill theme detection fails when using oklch color scheme

1password input focus lag with lots of inputs

Cannot find "Destinations" tab for mounting secrets to local .env files

SSH agent requires restart between every GitHub request

How to stop a running 1password ssh agent?