It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
SSH agent isn't working (Windows 11)
I can't use my vault's SSH keys on my terminal. I've reinstalled multiple times and followed the https://developer.1password.com/docs/ssh/get-started/, but I can't make it work correctly. My 1Password config is set up as follows: I've disabled the OpenSSH Authentication Agent (the screenshot is in spanish) My ~/.ssh/config file: Host * IdentityAgent "~/.1password/agent.sock" My ~/.gitconfig file: [core] sshCommand = ssh.exe autocrlf = input [user] email = {email} name = {user} signingkey = ssh-ed25519 AAA[...] [gpg] format = ssh [gpg "ssh"] program = C:\\Users\\{user}\\AppData\\Local\\1Password\\app\\8\\op-ssh-sign.exe [commit] gpgsign = true Whenever I run ssh-add -L my vault's SSH keys are shown, but I can't seem to make it work with GitHub or connect to any SSH connection. ❯ ssh-add -L ssh-ed25519 AA[...] Authentication & Signing (Git) ssh-ed25519 AA[...] Authentication ❯ ssh -Tv git@github.com OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2 debug1: Reading configuration data C:\\Users\\{user}/.ssh/config debug1: C:\\Users\\{user}/.ssh/config line 1: Applying options for * debug1: Connecting to github.com [140.82.116.4] port 22. debug1: Connection established. debug1: identity file C:\\Users\\{user}/.ssh/id_rsa type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_rsa-cert type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_ecdsa type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_ecdsa-cert type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_ecdsa_sk type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_ed25519 type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_ed25519-cert type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_ed25519_sk type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_ed25519_sk-cert type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_xmss type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_xmss-cert type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_dsa type -1 debug1: identity file C:\\Users\\{user}/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_for_Windows_9.5 debug1: Remote protocol version 2.0, remote software version 133e47a51 debug1: compat_banner: no match: 133e47a51 debug1: Authenticating to github.com:22 as 'git' debug1: load_hostkeys: fopen C:\\Users\\{user}/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU debug1: load_hostkeys: fopen C:\\Users\\{user}/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory debug1: Host 'github.com' is known and matches the ED25519 host key. debug1: Found key in C:\\Users\\{user}/.ssh/known_hosts:3 debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: ssh_packet_read_poll2: resetting read seqnr 3 debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: get_agent_identities: ssh_get_authentication_socket: No such file or directory debug1: Will attempt key: C:\\Users\\{user}/.ssh/id_rsa debug1: Will attempt key: C:\\Users\\{user}/.ssh/id_ecdsa debug1: Will attempt key: C:\\Users\\{user}/.ssh/id_ecdsa_sk debug1: Will attempt key: C:\\Users\\{user}/.ssh/id_ed25519 debug1: Will attempt key: C:\\Users\\{user}/.ssh/id_ed25519_sk debug1: Will attempt key: C:\\Users\\{user}/.ssh/id_xmss debug1: Will attempt key: C:\\Users\\{user}/.ssh/id_dsa debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: C:\\Users\\{user}/.ssh/id_rsa debug1: Trying private key: C:\\Users\\{user}/.ssh/id_ecdsa debug1: Trying private key: C:\\Users\\{user}/.ssh/id_ecdsa_sk debug1: Trying private key: C:\\Users\\{user}/.ssh/id_ed25519 debug1: Trying private key: C:\\Users\\{user}/.ssh/id_ed25519_sk debug1: Trying private key: C:\\Users\\{user}/.ssh/id_xmss debug1: Trying private key: C:\\Users\\{user}/.ssh/id_dsa debug1: No more authentication methods to try. git@github.com: Permission denied (publickey). One thing I noticed is that the folder .1password with the agent.sock file is not being created on my %USERPROFILE% folder. ❯ cd ~ && lsd -la | findstr ".1password" {empty} I installed lsd (chocolatey) on windows btw
Copy secret reference (using ID values)
This applies to all platforms (not just Mac), but I didn't see a community category for "all platforms", so I'm choosing Mac because it seems to have the highest user activity Perhaps I've missed some documentation, but I don't find a way to copy a https://developer.1password.com/docs/cli/secrets-reference-syntax/ using the desktop app. This seems like a basic and essential task during development. What I want is this format: op://vault_id/item_id/section_id/field_id or if the value isn't in a section: op://vault_id/item_id/field_id How can I do that easily — and get a secret reference defined by ID values (which should be immutable — vs. name values which can be modified)? More context: I find some ways to construct the URL manually (but this is not ideal): A URL can be copied which includes the vault and item ID among other query parameters: I get one in a format like this: https://start.1password.com/open/i?v={VAULT_ID}&i={ITEM_ID} However, that's not enough as it doesn't include the section/field, and would need to be manually edited or processed by other tooling as an additional step to get the required output. I can also use "Copy item UUID" and then paste that as an argument to a manually-typed CLI command to get much more than what's needed: % op --format=json item get x5k2wndiih6cmw2rugl7ol442i { "id": "x5k2wndiih6cmw2rugl7ol442i", // --- snip --- "vault": { "id": "{REDACTED_VAULT_ID}", // --- snip --- }, // --- snip --- "fields": [ // --- snip --- { "id": "credential", "type": "CONCEALED", "label": "credential", "value": "abc123", "reference": "op://{REDACTED_VAULT_NAME}/API Credential/credential" }, // --- snip --- ] } However, this still involves either manually copying+pasting IDs or using other tooling to parse and create the required output. The JSON does include a reference value for the target field, but the reference is built using names, which isn't satisfactory for the reasons described previously. For the example above, what I want to copy to the clipboard is the following (where {VAULT_ID} is replaced by the actual vault ID): op://{VAULT_ID}/x5k2wndiih6cmw2rugl7ol442i/credential I think that if the boolean option is enabled at Settings > Advanced > Show debugging tools: then there should be an option to copy a complete ID-based secret reference for every field in its contextual menu: This is a re-posting of previous issue — the 1Password team stopped responding and it was closed without comment: https://1password.community/discussion/139642/copy-secret-reference-using-id-values 1Password Version: 8.10.48 Extension Version: Not Provided OS Version: macOS 15.0.1 Browser: Not Provided
Trouble signing git commits from docker container
I am trying to set up a Linux dev container on my Windows machine. I am using VSCode Dev Containers which is doing some SSH magic that was able to get unsigned git commits to work. However, when I try to make signed commits, I get the following error: `error: cannot run [USER_HOME_DIRECTORY]\AppData\Local\1Password\app\8\op-ssh-sign.exe: No such file or directory` I saw this this other community post of a similar nature. I tried my best to follow along by: Set `SSH_AUTH_SOCK` environment variable; this didn't have explicit instructions for Windows Remove `[gpg "ssh"]` from `.git_config` Rebuild the docker image But doing so also did not resolve the issue, instead bringing up this new error: `error: Couldn't find key in agent?` Would someone be able to help me?
CLI script for migration from .com to .eu
When switching regions as documented in https://support.1password.com/regions/ there are certain limitations: Files can’t be copied across regions. To copy a Document item, download the file to your computer, then upload it to the new account. To copy an item with an attached file, download the file to your computer, remove the attached file from the item, copy the item to the new account, and add the file attachment back to the copied item. Items with custom icons can’t be copied across regions. Edit the item to remove the custom icon, copy the item to the new account, and add the custom icon back to the copied item. Items with related item links can be copied, but you’ll need to relink items after you copy them. Has anyone made a smart script for the op commandline tool to detect which items are affected by the above limitations? Or does the app reliably complain if it can't copy 1:1 from .com to .eu?
Issue with using op.exe within WSL for Ansible
Despite using 1Password, 1Password CLI and Ansible successfully in WSL on Windows 11, I've recently run into an issue. The 1Password apps on my work device were not being updated, and I believe I was using version 8.8.8 of the main app and 2.17.0 of the CLI. (Not great, I know). I had created a symbolic link for "/mnt/c/Program\ Files\ \)x86\)/1Password\ CLI/op.exe" to /usr/local/bin/op and everything was running fine. I could run 'op signin' and it would trigger my biometric authentication and 'op account list' would return my account as expected. I could also, use the community.general.onepassword lookup within Ansible just fine. I had a script to retrieve my ansible vault password configured in my ansible.cfg and this worked fine: #!/bin/bash op read "op://Personal/ansible_vault/password" After much cajoling, the support team have updated the 1Password applications on my device, I'm now running 8.11.2 of the Desktop app and 2.31.1 of OP CLI. Most of my environment works as before, 'op account list' triggers my biometrics and then returns the expected values and my ansible vault script above continues to work in the same way... however now the community.general.onepassword plugin is complaining that I'm not passing the required parameters (secret key, username, master_password, subdomain) ... but I shouldn't need to do this, as I am signed into 1Password. Again, this worked fine before upgrading the Windows OP CLI and App. Is this expected? I guess I could add these security items into my Ansible vault but I thought the whole point of OP CLI was to be able to move away from static security info in files (even if it is encrypted) and using password managers?
