Hello, I'm using SSH keys in combination with certificates. The certificates are the result of a signing process by a ca certificate. Normally the ssh-agent adds them automatically if they are named correctly. An example: key key.pub key-cert.pub` $ ssh-add key Enter passphrase for /home/max/.ssh/key: Identity added: /home/max/.ssh/key (Server access) Certificate added: /home/max/.ssh/key-cert.pub (certificate_max) How do I add my certificates to 1Password? (One can have more than one certificate per key) Kind regards, Max 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided

Thanks for testing! This is not a use case that we have considered and we will need to give it some thought. In the meantime, it should be possible by specifying an IdentityFile in SSH config that specifies the public key. I believe this will still pick up the certificate, but I have not tested. https://developer.1password.com/docs/ssh/agent/advanced#match-key-with-host Are you able to try and let me know? Thanks!

Same thing in our company. We use it company wide. I would love to have full support of this, if not I can use my ssh key as before as I don't see any benefit.

What would 1Password's ideal role be in an SSH certificates workflow?

That it works. I don’t know what has to be done. I have my private key, my public key and my certificate in my .ssh-folder. When I authenticate at a server the server recognizes the certificate and it works. With 1P I don’t know what should be done. Maybe I would need to be able to import the certificate as well? RFC6187 should be the one to look at if I am not mistaken. https://datatracker.ietf.org/doc/html/rfc6187

And setting up a test environment is easy. You need like three lines in your sshd_config, a signing key and that’s it. Sign your first key and you can test. Here is a tutorial: https://smallstep.com/docs/tutorials/ssh-certificate-login/#configure-sshd-to-accept-user-certs For this forum post only the user key-part (not the host-key part is required). And if AgileBits is using ssh, they should consider using it as well because it is the best way to handle ssh-keys in scale. You can set expiry dates on your keys, you can easily revoke and new members of teams can be given easily access without rolling out their public key everywhere. And if you have freelancers you have a user for them on the needed servers with the right principal, sign their key with an expiry date of the end of the project and the. They won’t be able to log in anymore when the key expired. Here is how Facebook (sorry Meta) is using it: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/

SSH Key Certificates | 1Password Community

18 Replies

Former Member
4 years ago
I just tried it an di t doesn't work.

That's what I see on the server, when I try to identify with the 1P-IdentityAgent and the CertificateFile-option:
destinationhost# /usr/sbin/sshd -d -p 2222 debug1: sshd version OpenSSH_7.5, OpenSSL 1.0.2u-freebsd 20 Dec 2019 debug1: private host key #0: ssh-rsa SHA256:bQOMBvPw32zqCG9wAKku447CKX0VV0L8m3+Fcnidsws debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:5PzxSW/mxjC2KfZ/Sim0nAyzGD7GcEi4MFi4AbGi0r0 debug1: private host key #2: ssh-ed25519 SHA256:HDPsxjNsZuK7+53Re9n0foz4npqAW9CPJn+fa3xCNew debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: rexec_argv[2]='-p' debug1: rexec_argv[3]='2222' debug1: Bind to port 2222 on ::. debug1: Server TCP RWIN socket size: 4194304 Server listening on :: port 2222. debug1: Bind to port 2222 on 0.0.0.0. debug1: Server TCP RWIN socket size: 4194304 Server listening on 0.0.0.0 port 2222. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 debug1: res_init() Connection from xxx.xxx.xxx.xxx port 46136 on yyyy.yyyy.yyy.yyy port 2222 debug1: Client protocol version 2.0; client software version OpenSSH_8.6 debug1: match: OpenSSH_8.6 pat OpenSSH* compat 0x04000000 debug1: Local version string SSH-2.0-OpenSSH_7.5 FreeBSD-20170903 debug1: Enabling compatibility mode for protocol 2.0 debug1: permanently_set_uid: 22/22 [preauth] debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: algorithm: curve25519-sha256@libssh.org [preauth] debug1: kex: host key algorithm: ssh-ed25519 [preauth] debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: rekey after 134217728 blocks [preauth] debug1: KEX done [preauth] debug1: userauth-request for user user service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: PAM: initializing for "user" debug1: PAM: setting PAM_RHOST to "some.host.com" user user login class [preauth] debug1: userauth-request for user user service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] user user login class [preauth] debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU [preauth] debug1: trying public key file /home/user/.ssh/authorized_keys debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys': No such file or directory debug1: trying public key file /home/user/.ssh/authorized_keys2 debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys2': No such file or directory Failed publickey for user from xxx.xxx.xxx.xxx port 46136 ssh2: RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU debug1: audit_event: unhandled event 6 debug1: userauth-request for user user service ssh-connection method keyboard-interactive [preauth] debug1: attempt 2 failures 1 [preauth] user user login class [preauth] debug1: keyboard-interactive devs [preauth] debug1: auth2_challenge: user=user devs= [preauth] debug1: kbdint_alloc: devices 'pam' [preauth] debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Postponed keyboard-interactive for user from xxx.xxx.xxx.xxx port 46136 ssh2 [preauth] Connection closed by authenticating user user xxx.xxx.xxx.xxx port 46136 [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: PAM: cleanup debug1: Killing privsep child 825 debug1: audit_event: unhandled event 12
Former Member
4 years ago
I will try that later. Sorry, didn’t get any notification for this.
floris_1P
1Password Team
4 years ago
If you already have the certificate locally, have you tried running the SSH command with -o CertificateFile /path/to/cert?
Former Member
4 years ago
And setting up a test environment is easy. You need like three lines in your sshd_config, a signing key and that’s it. Sign your first key and you can test.
Here is a tutorial:
https://smallstep.com/docs/tutorials/ssh-certificate-login/#configure-sshd-to-accept-user-certs

For this forum post only the user key-part (not the host-key part is required). And if AgileBits is using ssh, they should consider using it as well because it is the best way to handle ssh-keys in scale. You can set expiry dates on your keys, you can easily revoke and new members of teams can be given easily access without rolling out their public key everywhere. And if you have freelancers you have a user for them on the needed servers with the right principal, sign their key with an expiry date of the end of the project and the. They won’t be able to log in anymore when the key expired.

Here is how Facebook (sorry Meta) is using it:
https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/
Former Member
4 years ago
That it works. I don’t know what has to be done.
I have my private key, my public key and my certificate in my .ssh-folder.
When I authenticate at a server the server recognizes the certificate and it works.

With 1P I don’t know what should be done. Maybe I would need to be able to import the certificate as well?

RFC6187 should be the one to look at if I am not mistaken.
https://datatracker.ietf.org/doc/html/rfc6187
floris_1P
1Password Team
4 years ago
What would 1Password's ideal role be in an SSH certificates workflow?
Former Member
4 years ago
Same thing in our company. We use it company wide.
I would love to have full support of this, if not I can use my ssh key as before as I don't see any benefit.
K_J__1P
1Password Team
4 years ago
Thanks for testing! This is not a use case that we have considered and we will need to give it some thought. In the meantime, it should be possible by specifying an IdentityFile in SSH config that specifies the public key. I believe this will still pick up the certificate, but I have not tested.

https://developer.1password.com/docs/ssh/agent/advanced#match-key-with-host

Are you able to try and let me know? Thanks!

Forum Discussion

SSH Key Certificates

18 Replies

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

1PW extension bug: autofill theme detection fails when using oklch color scheme

1password input focus lag with lots of inputs

Cannot find "Destinations" tab for mounting secrets to local .env files

SSH agent requires restart between every GitHub request

How to stop a running 1password ssh agent?