SSH Feature questions

rctneil

Hi,

Just some quick questions about the new SSH feature.

1. I'm assuming that the SSH keys are synced between your machines etc?

2. Is it possible to import existing keys from multiple machines into 1Password?

3. If I had my keys stored in 1Password and I was setting up a brand new machine, i'm assuming all I would need to do is set up 1Password and i'd be good to go right?

4. If I do use 1Password's SSH features, do the keys still show up in my Mac's .ssh directory?

5. Once the keys are in 1Password, do I need to remove from from the .ssh directory?

I have had a glance at the dev documentation but would like just a little more info. I've not enabled the feature yet though but really excited to!

Thanks,
Neil

---

1Password Version: 8.6
Extension Version: Not Provided
OS Version: MacOS 12

eberkund

From what I can see you would no longer have SSH keys in .ssh, instead your authentication would be piped through 1Password's SSH agent.

rctneil

Ok,

Just configured this and imported a key. I've enabled the Agent and added the appropriate lines to my config file.

When I run ssh-add -l, I just get "The agent has no identities.".

Any ideas how to solve this?

floris_1P

1. Correct, the SSH Key item works like any other 1Password item in that sense

2. Yes, you can use the import functionality for that.

3. Almost. You would need to turn on the SSH agent in the 1Password preferences on each device, because that setting is local (by design!) and you'll need to make sure your SSH config points to the 1Password agent socket.

4. Nope! The private keys never leave the 1Password process.

5. They're not needed anymore by then. We don't automatically remove the private keys from your ~/.ssh directory after importing, so you can do that yourself whenever you're comfortable.

floris_1P

And about ssh-add -l: that only works when SSH_AUTH_SOCK is set.

rctneil

@floris_1P Thanks for those answers.

In regards to ssh-add -l. Your documentation says to add a line to the config file OR set the environment variable.

Theres nothing that states that to use the above command I have to use the environment variable?

How do I see all the keys in the agent then? without the env var being set?

I'm confused!

Tertius3

ssh-add -l works in a remote ssh session only, if you activate agent forwarding. Parameter -A for ssh or ~/.ssh/config option.

rctneil

@Tertius3 I'm sorry, I don;t quite understand this. Why do the docs say OR then?

Tertius3

You didn't write if you checked ssh-add -l locally or remotely. Locally it works right away and you need to make sure the documented environment variables exist. In remote ssh sessions, the ssh client automatically creates the environment variables, if agent forwarding is enabled.
However, this is no 1Password specific setting. It's how the ssh client works in general.

rctneil

@Tertius3 I'm running that locally on my machine and no entries are found.

The docs say I need to do one thing OR another, not both. If I add the appropriate line to my config file, then, according to the docs, I don't need to add an Env var.

floris_1P

ssh-add does not work with IdentityAgent, so you have to use the SSH_AUTH_SOCK environment variable there.

We're working on a docs page that lists compatibility for SSH clients/tools with certain features, which should give more clarity on this subject.

kevinneufeld

I followed the instruction as well, but cannot get it to work. Imported my key, moved it out of .ssh and added export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock to my shell and I get the following error.

Thu 24 10:39pm in ~
•100% ▶ ssh -T git@gitlab.com
git@gitlab.com: Permission denied (publickey,keyboard-interactive).

kevinneufeld

I followed the instruction as well, but cannot get it to work. Imported my key, moved it out of .ssh and added export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock to my shell and I get the following error.

Thu 24 10:39pm in ~
•100% ▶ ssh -T git@gitlab.com
git@gitlab.com: Permission denied (publickey,keyboard-interactive).

floris_1P

@kevinneufeld And what do you get when you run:

SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l

kevinneufeld

@floris_1P I get:

Mon 28  9:01am in ~
⇣94% ▶ SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l
The agent has no identities.

floris_1P

Is the SSH key you imported in a Private vault or a shared vault?

kevinneufeld

it is in a private vault specifically for work

kevinneufeld

when I move the key back to the personal vault I get the valid output:

Mon 28  8:26pm in ~ took 1m 51s
•100% ▶ SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l
256 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (ED25519)

kevinneufeld

Is there a way to target addtional/other vaults?

rctneil

@floris_1P

I'm really sorry but this is not making any sense to me.

In your documentation, you state:

"On Mac and Linux, add the IdentityAgent to your config file or set the SSH_AUTH_SOCK environment variable."

and

"Add the IdentityAgent snippet to your ~/.ssh/config file:

Host *
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

Or set the SSH_AUTH_SOCK environment variable in the shell where your SSH command runs:

export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
"

You explicitly say the word "or" twice. This indicates that the user has to do one OR the other.

If you HAVE to do both then surely the documentation needs to be updated. I run ssh-add -l and it fails to show any keys.

If I am misunderstanding then that's fine, but please ensure your documentation is cleared up and everything clarified to ensure misunderstandings like this don't happen.

Please could you explain again here so I can try to understand.

Enceladus

I was having trouble with this too and got it working. I had originally created an ssh key in my "Work" vault (not shared with anyone, but I don't think it counts as private), and was bemused as to why ssh -v was failing and claiming the agent had no identities.

Moving the key to the Personal vault fixed it. I can ssh hostname and 1Password prompts me for permission to connect, easy peasy.

@rctneil IdentityAgent is a way to override the SSH_AUTH_SOCK variable. It lets you instruct SSH to use a different ssh-agent for particular hosts, while SSH_AUTH_SOCK is the default. If 1Password is the only ssh-agent you're running, you can export SSH_AUTH_SOCK=<that long path> as suggested and that should work fine. No need to set IdentityAgent at all.

In my case I'm already running a different agent on SSH_AUTH_SOCK. So I set up my ~/.ssh/config file like this for 1PW:

Host somethingtouse1passwordfor
  HostName 123.456.78.910
  User username
  Port 42
  IdentityAgent ~/.1password/agent.sock // symlink to the full socket path

Host *
  IdentityFile ~/.ssh/my-normal-id
  AddKeysToAgent yes

Note that in this case, ssh-add -l only shows the keys in my default agent, NOT what's in the 1PW agent. The reason for this is that ssh-add looks at SSH_AUTH_SOCK to get the socket through which to communicate with an agent. If I want to see what's saved in the 1PW agent, I need to change the environment variable. I can do this temporarily for my current shell session like so:

SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock

And then ssh-add -l will report the key(s) from 1PW.

The documentation kind of assumes someone already knows how this works, which is probably a mistake given how arcane SSH can be and how minimal the usual instructions are that people get from github, web hosts, etc. If anyone wants to read a genuinely good explanation of what's going on, this article saved me a lot of headaches.

rctneil

@Enceladus Many many thanks for your explanation.

When I get back on my personal machine I will reread your post and try it all out!

Thanks!

nikolamilekic

I just wasted a lot of time trying to figure out why SSH wasn't working for me. Same issue as @kevinneufeld: only "Personal" (or default) vault works. The other private vaults DO NOT. Is this a bug or a poorly documented feature?

floris_1P

@rctneil Yes, you're right that the or part is a bit confusing, because not every SSH client supports IdentityAgent. So we just released a brand new page to list which SSH clients support which configuration options: https://developer.1password.com/docs/ssh/agent/compatibility

It says there that ssh-add does not support IdentityAgent, for example.

We're also linking to this page from the get started guide.

floris_1P

@nikolamilekic That's not a bug. We've listed the SSH key requirements for the SSH agent here: https://developer.1password.com/docs/ssh/agent#eligible-keys

Anything you feel that's missing there to prevent others running into the same issue?

nikolamilekic

@floris_1P I read those requirements and I understood the private vault one to mean any vault that is not shared. As I'm not the only one to come to that (wrong) conclusion I feel you need to explain it better. Instead of saying private vault how about saying "the account's default vault" (if that is indeed the case)?

Why is this requirement there to begin with? It's not intuitive (or we wouldn't be here), and it forces users to change their workflows to suit the software...

skrtks

I've transferred some of my SSH keys I use frequently to 1P to do some testing, and I'm really enjoying the experience so far! However, what I don't like is that keys are locked quite fast after use. For example, Intellij frequently fetches in the background, and every time this happens I have to grant access to the key again.

It would be great if 1P would remember my choice as long as my vault is unlocked. Or even better, just remember which apps have access to a key, and don't ask me anything as long as my vault is unlocked.

What are the plans regarding this?

aurimasniekis

Like @skrtks mentioned JetBrains IDE's constantly fetches git data, which causes 1password ask for allowance, which if u have for e.g. 5-6 IDE opened quite annoying, I would love if there would be option like with macOS keychain Always Allow or something similar

negnetsolutions

Like @skrtks mentioned, I use nvim inside of tmux and have plenty of different git integrations that are always checking the status of remote git repos. I get 1-2 ssh key requests each time I open a new shell / vim session. Or opening a transmit session over sftp (which by default opens multiple remote server connections) often ends up with 4-8 requests to unlock.

I realized that my git integrations are not the most optimized. But, an "always allow for process" would be a very nice addition.

In fact, using 1P to unlock my primary ssh identity is essentially useless for me right now as I'm constantly interrupted by authentication requests. For now, I went back to using local key files.... :(

floris_1P

@skrtks @aurimasniekis @negnetsolutions We've recently made some improvements in this area, especially around those consecutive prompts piling up. Could you see if it got any better now?

@nikolamilekic I agree and we're aware of this. It's a requirement we're looking to remove soon. The reason why it's there is because we need to build an opt-in mechanism to use those keys.

nikolamilekic

@floris_1P How about a special tag? Similar to how '2FA' is used to suppress 2FA warnings, or 'Apple Watch' to indicate items available on WatchOS?