ForwardAgent?

nielsk
nielsk
Community Member
edited May 2022 in SSH

I noticed that when I log in my server with a key that is in 1Password and I try to log in from there to other servers, that I need to provide my password. Apparently ForwardAgent does not work, or do I have to do something special?

1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3

Comments

  • floris_1P
    floris_1P

    Agent forwarding should just keep on working after moving your keys to 1Password, without needing additional config. Did it work before? Did anything change?

  • putneyj
    putneyj
    Community Member
    edited March 2022

    I am running into the same issue. I've got ForwardAgent set for my hosts, but nothing is being passed to the first remote server to allow me to SSH into the 2nd.

  • nielsk
    nielsk
    Community Member

    Yes, it worked before when I added the ssh-key with ssh-add to my identities but that is not necessary if I understood the 1Password-ssh-support correctly (if not - how do I add it with ssh-add).

  • floris_1P
    floris_1P

    Could you guys share your ssh -v output of the second command? (That should use the forwarded agent)
    And also share the relevant SSH config.

  • nielsk
    nielsk
    Community Member

    Could it be that since the Certificate is not in the IdentityAgent, forwarding does not work?

    OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 1: Applying options for *
    debug1: Connecting to targethost-nfs [172.16.254.156] port 22.
    debug1: fd 3 clearing O_NONBLOCK
    debug1: Connection established.
    debug1: identity file /home/user/.ssh/id_rsa type -1
    debug1: identity file /home/user/.ssh/id_rsa-cert type -1
    debug1: identity file /home/user/.ssh/id_dsa type -1
    debug1: identity file /home/user/.ssh/id_dsa-cert type -1
    debug1: identity file /home/user/.ssh/id_ecdsa type -1
    debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/user/.ssh/id_ed25519 type -1
    debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
    debug1: identity file /home/user/.ssh/id_xmss type -1
    debug1: identity file /home/user/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_7.9 FreeBSD-20200214
    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9 FreeBSD-20200214
    debug1: match: OpenSSH_7.9 FreeBSD-20200214 pat OpenSSH* compat 0x04000000
    debug1: Authenticating to targethost-nfs:22 as 'user'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256@libssh.org
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ecdsa-sha2-nistp256 SHA256:9DZQE+gXw6BolwutR3GPutxfqKzlRSvjimNf9DOrXHw
    DNS lookup error: general failure
    debug1: Host 'targethost-nfs' is known and matches the ECDSA host key.
    debug1: Found key in /home/user/.ssh/known_hosts:1
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: rekey after 134217728 blocks
    debug1: Will attempt key: id_rsa_sam RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU agent
    debug1: Will attempt key: /home/user/.ssh/id_rsa
    debug1: Will attempt key: /home/user/.ssh/id_dsa
    debug1: Will attempt key: /home/user/.ssh/id_ecdsa
    debug1: Will attempt key: /home/user/.ssh/id_ed25519
    debug1: Will attempt key: /home/user/.ssh/id_xmss
    debug1: SSH2_MSG_EXT_INFO received
    debug1: Fssh_kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Offering public key: id_rsa_sam RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU agent
    debug1: Authentications that can continue: publickey,keyboard-interactive
    debug1: Trying private key: /home/user/.ssh/id_rsa
    debug1: Trying private key: /home/user/.ssh/id_dsa
    debug1: Trying private key: /home/user/.ssh/id_ecdsa
    debug1: Trying private key: /home/user/.ssh/id_ed25519
    debug1: Trying private key: /home/user/.ssh/id_xmss
    debug1: Next authentication method: keyboard-interactive

  • nielsk
    nielsk
    Community Member
    edited March 2022

    I forgot the .ssh/config-part:

    ControlPath ~/.ssh/connections/mux_%C

ControlPersist 4h
TCPKeepAlive no
ServerAliveInterval 60
ServerAliveCountMax 10
ForwardAgent yes
AddKeysToAgent yes
Host *
  IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
  CertificateFile "~/.ssh/id_rsa_sam-cert.pub"

Host host1
  HostName host1.fqdn.com
  User user
Host destinationhost
  HostName destinationhost.fqdn.com
  User user

    The destination-host-part should be irrelevant though because it depends then on the second host.

  • floris_1P
    floris_1P

    Could it be that since the Certificate is not in the IdentityAgent, forwarding does not work?

    Yes, that could very well be the culprit. What happens if you SSH from the forwarded host into a host that does not require certificates, e.g. ssh -T git@github.com?

  • nielsk
    nielsk
    Community Member

    It works when I try to move to a host that doesn't require a certificate -- the unlock-pop up comes from 1password, and I can log in.

  • nielsk
    nielsk
    Community Member

    Any news here? I switched off the feature again because of the algorithm- and the ForwardAgent-problems

  • d8kda
    d8kda
    Community Member

    From MacOS to Linux, using IdentityAgent and ForwardAgent doesn't work.
    Using SSH_AUTH_SOCK does work.
    1Password for Mac 8.8.0.
    Please fix!

  • spacehog
    spacehog
    Community Member

    Hi
    Same problem here.
    Forwarding is not working with 1Password agent. I get a Permission denied (publickey). when trying to ssh on the second server.

  • Jack.P_1P
    Jack.P_1P
    edited November 2022

    Hi @spacehog:

    Do you have IdentityAgent, SSH_AUTH_SOCK, or both configured to use the 1Password SSH agent on your local machine? Let me know!

    Jack

  • spacehog
    spacehog
    Community Member

    Hi Jack,
    I use IdentityAgent for 1Pasword. But I totally forgot I also have SSH_AUTH_LOCK that points to my keychain SSH agent. I guess I have to disable the keychain SSH agent before retrying.
    I’ll tell you if it resolves my problem.

  • br_
    br_
    Community Member

    I'm trying to forward my 1Password SSH agent running on Windows 11, and when logging into my server it just hangs before showing a prompt. I can ^c and it cancels the connection, so it's probably also before a terminal is properly allocated?

    Anyway, I honestly have no idea what's going on here, but I'm hoping someone might be able to let me know if this is some sort of bug or limitation, or if I have something set wrong on my server. Thank you!

  • spacehog
    spacehog
    Community Member

    @Jack I have made some progress.
    I have a private key file for the second server, if I add it in 1Password, forwarding works.
    But if I try to add it via ssh-add, I get an error:
    Could not add identity "keys": agent refused operation

    It's funny because ssh-add -l works well and lists all my private keys from 1Password.

    The SSH_AUT_LOCK points to ~/.1password/agent.sock.

  • spacehog
    spacehog
    Community Member
    edited November 2022

    Here is the message I have found in 1Password logs:
    Unsupported message sent to agent: AddIdentity

  • spacehog
    spacehog
    Community Member

    @Jack.P_1P Do you have an idea of what could cause the error message when using ssh-add?

  • Jack.P_1P
    Jack.P_1P

    Hi @spacehog:

    Thanks for sharing that. Adding keys to the 1Password SSH agent can only be done directly from 1Password, not by using ssh-add. With that said, we have an internal issue tracking being unable to use ssh-add to import keys into 1Password, so I'll share your feedback with the team.

    ref: dev/core/core#13363

    @br_:

    We'd likely have to take a closer look at your specific setup. Please email us at businesssupport@1password.com mentioning that you're having trouble with SSH forwarding, and we'll be in touch.

    Jack

  • proza
    proza
    Community Member
    edited March 2023

    same here, forwarding don't work anymore when ssh'ing from another machine into this one until you comment out the IdentityAgent line

    Host *
        ForwardAgent yes
        IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

    (I login from 1 MacBook Air to another pro, both have 1pw)

  • Jack.P_1P
    Jack.P_1P

    Hi @proza:

    Thanks for sharing. We're continuing to investigate how we can make this smoother when connecting to a host that also has 1Password SSH Agent enabled, so thanks for your feedback!

    Jack

This discussion has been closed.