Hi, Just some quick questions about the new SSH feature. I'm assuming that the SSH keys are synced between your machines etc? Is it possible to import existing keys from multiple machines into 1Password? If I had my keys stored in 1Password and I was setting up a brand new machine, i'm assuming all I would need to do is set up 1Password and i'd be good to go right? If I do use 1Password's SSH features, do the keys still show up in my Mac's .ssh directory? Once the keys are in 1Password, do I need to remove from from the .ssh directory? I have had a glance at the dev documentation but would like just a little more info. I've not enabled the feature yet though but really excited to! Thanks, Neil 1Password Version: 8.6 Extension Version: Not Provided OS Version: MacOS 12

From what I can see you would no longer have SSH keys in .ssh, instead your authentication would be piped through 1Password's SSH agent.

Ok, Just configured this and imported a key. I've enabled the Agent and added the appropriate lines to my config file. When I run ssh-add -l, I just get "The agent has no identities.". Any ideas how to solve this?

Correct, the SSH Key item works like any other 1Password item in that sense Yes, you can use the import functionality for that. Almost. You would need to turn on the SSH agent in the 1Password preferences on each device, because that setting is local (by design!) and you'll need to make sure your SSH config points to the 1Password agent socket. Nope! The private keys never leave the 1Password process. They're not needed anymore by then. We don't automatically remove the private keys from your ~/.ssh directory after importing, so you can do that yourself whenever you're comfortable.

And about ssh-add -l: that only works when SSH_AUTH_SOCK is set.

floris_1P Thanks for those answers. In regards to ssh-add -l. Your documentation says to add a line to the config file OR set the environment variable. Theres nothing that states that to use the above command I have to use the environment variable? How do I see all the keys in the agent then? without the env var being set? I'm confused!

SSH Feature questions | 1Password Community

39 Replies

ragectl
Occasional Contributor
3 years ago
floris_1P good to hear thanks. I will take a look
floris_1P
1Password Team
3 years ago
@kevinneufeld Enceladus @nikolamilekic ragectl

I wanted to let you know that we're currently working on a solution that allows for the following:
- Enable keys from other vaults than the Private vault.
- Create isolated setups with certain keys offered on a separate socket.
- Control the order in which keys are offered to SSH servers.

It would be great to get your feedback on our proposal, if you're (still) interested. You can do so by joining the #ssh-agent-config channel in our Slack workspace.
1P_Tommy
Moderator
4 years ago
On behalf of Floris, you're welcome.
Former Member
4 years ago
floris_1P That's neat. I'll give it a try. Thanks.
floris_1P
1Password Team
4 years ago
@negnetsolutions In the latest beta, you can now configure the SSH agent authorization model to not prompt for each terminal tab, but only once per application. Let me know if that improves things for you!
Former Member
4 years ago
ragectl Unfortunately there are no updates yet regarding this feature.
ragectl
Occasional Contributor
4 years ago
floris_1P is there any update on possible changes to the restriction on having SSH keys in the 'default' ("Personal" in my case) vault?

I have a personal 1P account, nobody else has access to it, but I am forced to keep all my items in this "Personal" vault that are not personal items.

Can the developers at least allow extra vaults for accounts with a single login attached?

I understand the reluctance about using shared vaults, but I work in teams that have shared SSH keys as back-up for when network authentication fails and we have never had an issue with misuse of the keys.
Perhaps that could be addressed by enforcing security over who can edit entries, rather than restricting use of those entries?
Former Member
4 years ago
floris_1P It's better, but still very annoying since I tend to have many terminal processes running inside of tmux and vim.
floris_1P
1Password Team
4 years ago
That's one of the options we're exploring. One downside of that approach is that in shared vaults, someone on your team would be able to change everyone else's SSH agent behavior, while all other SSH agent configuration is (intentionally) local to each device.
Former Member
4 years ago
floris_1P How about a special tag? Similar to how '2FA' is used to suppress 2FA warnings, or 'Apple Watch' to indicate items available on WatchOS?