ForwardAgent?

nielsknielsk Junior Member
Community Member
edited May 3 in SSH

I noticed that when I log in my server with a key that is in 1Password and I try to log in from there to other servers, that I need to provide my password. Apparently ForwardAgent does not work, or do I have to do something special?


1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3

Comments

  • floris_1Pfloris_1P

    Team Member

    Agent forwarding should just keep on working after moving your keys to 1Password, without needing additional config. Did it work before? Did anything change?

  • putneyjputneyj
    Community Member
    edited March 21

    I am running into the same issue. I've got ForwardAgent set for my hosts, but nothing is being passed to the first remote server to allow me to SSH into the 2nd.

  • nielsknielsk Junior Member
    Community Member

    Yes, it worked before when I added the ssh-key with ssh-add to my identities but that is not necessary if I understood the 1Password-ssh-support correctly (if not - how do I add it with ssh-add).

  • floris_1Pfloris_1P

    Team Member

    Could you guys share your ssh -v output of the second command? (That should use the forwarded agent)
    And also share the relevant SSH config.

  • nielsknielsk Junior Member
    Community Member

    Could it be that since the Certificate is not in the IdentityAgent, forwarding does not work?

    OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd 24 Aug 2021
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 1: Applying options for *
    debug1: Connecting to targethost-nfs [172.16.254.156] port 22.
    debug1: fd 3 clearing O_NONBLOCK
    debug1: Connection established.
    debug1: identity file /home/user/.ssh/id_rsa type -1
    debug1: identity file /home/user/.ssh/id_rsa-cert type -1
    debug1: identity file /home/user/.ssh/id_dsa type -1
    debug1: identity file /home/user/.ssh/id_dsa-cert type -1
    debug1: identity file /home/user/.ssh/id_ecdsa type -1
    debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/user/.ssh/id_ed25519 type -1
    debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
    debug1: identity file /home/user/.ssh/id_xmss type -1
    debug1: identity file /home/user/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_7.9 FreeBSD-20200214
    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9 FreeBSD-20200214
    debug1: match: OpenSSH_7.9 FreeBSD-20200214 pat OpenSSH* compat 0x04000000
    debug1: Authenticating to targethost-nfs:22 as 'user'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: [email protected]
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: [email protected] MAC: compression: none
    debug1: kex: client->server cipher: [email protected] MAC: compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ecdsa-sha2-nistp256 SHA256:9DZQE+gXw6BolwutR3GPutxfqKzlRSvjimNf9DOrXHw
    DNS lookup error: general failure
    debug1: Host 'targethost-nfs' is known and matches the ECDSA host key.
    debug1: Found key in /home/user/.ssh/known_hosts:1
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: rekey after 134217728 blocks
    debug1: Will attempt key: id_rsa_sam RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU agent
    debug1: Will attempt key: /home/user/.ssh/id_rsa
    debug1: Will attempt key: /home/user/.ssh/id_dsa
    debug1: Will attempt key: /home/user/.ssh/id_ecdsa
    debug1: Will attempt key: /home/user/.ssh/id_ed25519
    debug1: Will attempt key: /home/user/.ssh/id_xmss
    debug1: SSH2_MSG_EXT_INFO received
    debug1: Fssh_kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Offering public key: id_rsa_sam RSA SHA256:jzuBd+ulgpxou9emJu1RRvIn9bf6plMl0E4mhQLHZvU agent
    debug1: Authentications that can continue: publickey,keyboard-interactive
    debug1: Trying private key: /home/user/.ssh/id_rsa
    debug1: Trying private key: /home/user/.ssh/id_dsa
    debug1: Trying private key: /home/user/.ssh/id_ecdsa
    debug1: Trying private key: /home/user/.ssh/id_ed25519
    debug1: Trying private key: /home/user/.ssh/id_xmss
    debug1: Next authentication method: keyboard-interactive

  • nielsknielsk Junior Member
    Community Member
    edited March 23

    I forgot the .ssh/config-part:

    ControlPath ~/.ssh/connections/mux_%C
    
    ControlPersist 4h
    TCPKeepAlive no
    ServerAliveInterval 60
    ServerAliveCountMax 10
    ForwardAgent yes
    AddKeysToAgent yes
    Host *
      IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
      CertificateFile "~/.ssh/id_rsa_sam-cert.pub"
    
    Host host1
      HostName host1.fqdn.com
      User user
    Host destinationhost
      HostName destinationhost.fqdn.com
      User user
    

    The destination-host-part should be irrelevant though because it depends then on the second host.

  • floris_1Pfloris_1P

    Team Member

    Could it be that since the Certificate is not in the IdentityAgent, forwarding does not work?

    Yes, that could very well be the culprit. What happens if you SSH from the forwarded host into a host that does not require certificates, e.g. ssh -T [email protected]?

  • nielsknielsk Junior Member
    Community Member

    It works when I try to move to a host that doesn't require a certificate -- the unlock-pop up comes from 1password, and I can log in.

  • nielsknielsk Junior Member
    Community Member

    Any news here? I switched off the feature again because of the algorithm- and the ForwardAgent-problems

  • d8kdad8kda
    Community Member

    From MacOS to Linux, using IdentityAgent and ForwardAgent doesn't work.
    Using SSH_AUTH_SOCK does work.
    1Password for Mac 8.8.0.
    Please fix!

  • spacehogspacehog
    Community Member

    Hi
    Same problem here.
    Forwarding is not working with 1Password agent. I get a Permission denied (publickey). when trying to ssh on the second server.

  • Jack.P_1PJack.P_1P

    Team Member
    edited November 18

    Hi @spacehog:

    Do you have IdentityAgent, SSH_AUTH_SOCK, or both configured to use the 1Password SSH agent on your local machine? Let me know!

    Jack

  • spacehogspacehog
    Community Member

    Hi Jack,
    I use IdentityAgent for 1Pasword. But I totally forgot I also have SSH_AUTH_LOCK that points to my keychain SSH agent. I guess I have to disable the keychain SSH agent before retrying.
    I’ll tell you if it resolves my problem.

  • br_br_
    Community Member

    I'm trying to forward my 1Password SSH agent running on Windows 11, and when logging into my server it just hangs before showing a prompt. I can ^c and it cancels the connection, so it's probably also before a terminal is properly allocated?

    Anyway, I honestly have no idea what's going on here, but I'm hoping someone might be able to let me know if this is some sort of bug or limitation, or if I have something set wrong on my server. Thank you!

  • spacehogspacehog
    Community Member

    @Jack I have made some progress.
    I have a private key file for the second server, if I add it in 1Password, forwarding works.
    But if I try to add it via ssh-add, I get an error:
    Could not add identity "keys": agent refused operation

    It's funny because ssh-add -l works well and lists all my private keys from 1Password.

    The SSH_AUT_LOCK points to ~/.1password/agent.sock.

  • spacehogspacehog
    Community Member
    edited November 21

    Here is the message I have found in 1Password logs:
    Unsupported message sent to agent: AddIdentity

  • spacehogspacehog
    Community Member

    @Jack.P_1P Do you have an idea of what could cause the error message when using ssh-add?

  • Jack.P_1PJack.P_1P

    Team Member

    Hi @spacehog:

    Thanks for sharing that. Adding keys to the 1Password SSH agent can only be done directly from 1Password, not by using ssh-add. With that said, we have an internal issue tracking being unable to use ssh-add to import keys into 1Password, so I'll share your feedback with the team.

    ref: dev/core/core#13363

    @br_:

    We'd likely have to take a closer look at your specific setup. Please email us at [email protected] mentioning that you're having trouble with SSH forwarding, and we'll be in touch.

    Jack

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file