Private Keys in Shared Vaults

JacksonB
JacksonB
Community Member

I was able to add in a couple of private keys to my Personal vault and those worked without any issue. I received the validation prompt indicating the source application and my ability to confirm.

But as soon as I tried to log in with a key stored in a Shared Vault in my Teams account it was not available to log in to the remote hosts that require that key. If I moved the key back to my Personal vault then it worked without issue.

Is this by design or am I missing a setting somewhere to make this available?


1Password Version: 8.6.0
Extension Version: Not Provided
OS Version: macOS 12.3

Comments

  • Fooligan
    Fooligan
    Community Member

    Hi @JacksonB

    I think this is currently by design.

    See here:

    SSH agent

    The 1Password SSH agent uses the SSH keys you have saved in 1Password to seamlessly integrate with your Git and SSH workflows. It authenticates your Git and SSH clients without those clients ever being able to read your private key.

    In fact, your private key never even leaves the 1Password app. The SSH agent works with the SSH keys stored in your Private vault, but never without your consent. Only SSH clients you explicitly authorize will be able to use your SSH keys until 1Password locks.

  • Yes, this is by design. We're planning to add support for other vaults too, but we'll need to provide an opt-in mechanism for that to avoid any unwanted behavior in a collaboration setting.

  • sifutommy
    sifutommy
    Community Member

    It appears to me that it's not just that it doesn't work with shared vaults, but that it only works the default "personal" vault. I have an additional vault that is not shared into which I put my keys and it still doesn't work. It would be nice if it worked with all private vaults, but minimally this should be called out more explicitly in the docs. Without a way to list identities in the agent, it's hard to figure out what's going on when it doesn't work.

  • @sifutommy Thanks for your feedback. We do mention the vaults limitation in multiple places in the docs, in the most explicit form here: https://developer.1password.com/docs/ssh/agent#eligible-keys, as well in the 1Password preferences pane.
    Any suggestions on where else you'd expect it to be covered are very welcome!

    And about listing identities, you can use ssh-add with SSH_AUTH_SOCK:

    SSH_AUTH_SOCK=~/.1password/agent.sock ssh-add -l
    
This discussion has been closed.