Hi, Just some quick questions about the new SSH feature. I'm assuming that the SSH keys are synced between your machines etc? Is it possible to import existing keys from multiple machines into 1Password? If I had my keys stored in 1Password and I was setting up a brand new machine, i'm assuming all I would need to do is set up 1Password and i'd be good to go right? If I do use 1Password's SSH features, do the keys still show up in my Mac's .ssh directory? Once the keys are in 1Password, do I need to remove from from the .ssh directory? I have had a glance at the dev documentation but would like just a little more info. I've not enabled the feature yet though but really excited to! Thanks, Neil 1Password Version: 8.6 Extension Version: Not Provided OS Version: MacOS 12

From what I can see you would no longer have SSH keys in .ssh, instead your authentication would be piped through 1Password's SSH agent.

Ok, Just configured this and imported a key. I've enabled the Agent and added the appropriate lines to my config file. When I run ssh-add -l, I just get "The agent has no identities.". Any ideas how to solve this?

Correct, the SSH Key item works like any other 1Password item in that sense Yes, you can use the import functionality for that. Almost. You would need to turn on the SSH agent in the 1Password preferences on each device, because that setting is local (by design!) and you'll need to make sure your SSH config points to the 1Password agent socket. Nope! The private keys never leave the 1Password process. They're not needed anymore by then. We don't automatically remove the private keys from your ~/.ssh directory after importing, so you can do that yourself whenever you're comfortable.

And about ssh-add -l: that only works when SSH_AUTH_SOCK is set.

floris_1P Thanks for those answers. In regards to ssh-add -l. Your documentation says to add a line to the config file OR set the environment variable. Theres nothing that states that to use the above command I have to use the environment variable? How do I see all the keys in the agent then? without the env var being set? I'm confused!

SSH Feature questions | 1Password Community

39 Replies

rctneil
Super Contributor
4 years ago
floris_1P

I'm really sorry but this is not making any sense to me.

In your documentation, you state:

"On Mac and Linux, add the IdentityAgent to your config file or set the SSH_AUTH_SOCK environment variable."

and

"Add the IdentityAgent snippet to your ~/.ssh/config file:

Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

Or set the SSH_AUTH_SOCK environment variable in the shell where your SSH command runs:

export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
"

You explicitly say the word "or" twice. This indicates that the user has to do one OR the other.

If you HAVE to do both then surely the documentation needs to be updated. I run ssh-add -l and it fails to show any keys.

If I am misunderstanding then that's fine, but please ensure your documentation is cleared up and everything clarified to ensure misunderstandings like this don't happen.

Please could you explain again here so I can try to understand.
Former Member
4 years ago
Is there a way to target addtional/other vaults?
Former Member
4 years ago
when I move the key back to the personal vault I get the valid output:
shell Mon 28 8:26pm in ~ took 1m 51s •100% ▶ SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l 256 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (ED25519)
Former Member
4 years ago
it is in a private vault specifically for work
floris_1P
1Password Team
4 years ago
Is the SSH key you imported in a Private vault or a shared vault?
Former Member
4 years ago
floris_1P I get:
shell Mon 28 9:01am in ~ ⇣94% ▶ SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l The agent has no identities.
floris_1P
1Password Team
4 years ago
@kevinneufeld And what do you get when you run:
SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l
Former Member
4 years ago
I followed the instruction as well, but cannot get it to work. Imported my key, moved it out of .ssh and added export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock to my shell and I get the following error.

shell Thu 24 10:39pm in ~ •100% ▶ ssh -T git@gitlab.com git@gitlab.com: Permission denied (publickey,keyboard-interactive).
Former Member
4 years ago
I followed the instruction as well, but cannot get it to work. Imported my key, moved it out of .ssh and added export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock to my shell and I get the following error.

shell Thu 24 10:39pm in ~ •100% ▶ ssh -T git@gitlab.com git@gitlab.com: Permission denied (publickey,keyboard-interactive).
floris_1P
1Password Team
4 years ago
ssh-add does not work with IdentityAgent, so you have to use the SSH_AUTH_SOCK environment variable there.

We're working on a docs page that lists compatibility for SSH clients/tools with certain features, which should give more clarity on this subject.

Forum Discussion

SSH Feature questions

39 Replies

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

1Password Chrome extension is incorrectly manipulating <code> blocks

SSH Bookmarks - broken on macOS

Unofficial 1Password SDK for Rust

🔊 Securing Cursor agentic development with 1Password Environments

ssh agent and ansible 12 prompting incessantly