SSH Agent Forwarding

jeffutterjeffutter
Community Member
edited March 22 in SSH

I'm really enjoying using 1Password as a ssh-agent with biometric unlock. I'm wondering if it's possible forward the SSH agent though.

Scenario:

I have two macs with 1Password setup with biometric unlock for ssh keys (work machine and personal).
Occasionally, I want to login from my pesonal. machine and git push on my work machine. If I attempt to do this now, I get errors like this:

sign_and_send_pubkey: signing failed for ED25519 "/Users/MyName/.ssh/id_ed25519" from agent: agent refused operation
sign_and_send_pubkey: signing failed for RSA "SSH Key" from agent: agent refused operation
[email protected]: Permission denied (publickey).

I think what's happening is that ssh on my work machine is trying to use the 1password agent with biometric unlock, but the machine is locked (display asleep) so the biometric prompt is immediately dismissed and the auth fails.

I'm wondering if I can forward the SSH agent from my personal machine to the work machine. I would expect ssh -A work to handle this, but it seems to get the same error as above.

Any ideas on how to do this, or do I have to forgo biometric unlock if I want to ssh from the machines remotely.


1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: macOS 12.3

Comments

  • jc00kejc00ke
    Community Member

    I'd be interested in the solution to this w/o biometric unlock for the Linux use case. I have 2 Linux machines, one laptop and one desktop. I'm currently ssh'd into the desktop but I can't then SSH tunnel that machine to another because I can't unlock the desktop. Hopefully that makes sense.

  • Michael MercurioMichael Mercurio
    Community Member

    This is also a problem for me. I have agent forwarding enabled in my ~/.ssh/config. I also have 1Password configured as the IdentityAgent like this:

    Host *
        IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
        ForwardAgent yes
    

    When I ssh into my iMac remotely and then attempt to use ssh from there (e.g., via git) the option for IdentityAgent is used (i.e., the locked 1Password as the agent) and NOT the forwarded agent from my local MacBook. I would like the forwarded agent to be used instead of the locked 1Password on my remote iMac.

    I suspect this is not a problem specific to 1Password, and instead related to how the OpenSSH options for ForwardAgent and IdentityAgent interact.

    Does anyone know of a way to configure the OpenSSH client to prefer the forwarded agent over the configured IdentityAgent?

    As a workaround for this I often disable the IdentityAgent option (comment it out in my ~/.ssh/config) when I'm ssh'd in remotely, but this is a pain and not ideal. You could also disable the option via command line but this is also not ideal, and not really possible when ssh is used via git and similar.

  • Michael MercurioMichael Mercurio
    Community Member
    edited June 4

    This seems to work for me.

    Instead of configuring 1Password's SSH Agent via ~/.ssh/config, I instead rely on the environment variable SSH_AUTH_SOCK. In my ~/.zshrc I do this:

    # Set SSH_AUTH_SOCK to use 1Password as SSH Agent when not ssh'd in remotely.
    if [ -z $SSH_TTY ] ; then
        SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
    fi
    

    This gives me the behavior I'm looking for: when I'm working on my Mac locally (SSH_TTY is not set), the local instance of 1Password is used. When I'm ssh'd into my Mac remotely, the forwarded agent is used (I have ForwardAgent yes in my ~/.ssh/config as indicated in my previous post. This allows me to always use the 1Password instance running on my local Mac, even when ssh'd into another host remotely and that host may also be running 1Password.

    I'm curious if there are other ways to accomplish this.

    Cheers,
    Michael

    Update: oops. I had the logic reversed in my original post. fixed.

  • Michael MercurioMichael Mercurio
    Community Member

    Today, I realized a shortcoming of the solution I posted above. It doesn't work when calling ssh from non-interactive terminal sessions such as iTerm Profiles or other apps not launched from the terminal. In these cases, SSH_AUTH_SOCK is not set and 1Password is not used as the SSH Agent.

    The ideal solution would be if OpenSSH had a way to configure multiple SSH Agents to use in priority order, but I'm not aware such a thing exists.

    For the basic case of SSH Agent forwarding as asked by the OP, the solution I proposed works well for me.

  • fliphessfliphess
    Community Member
    edited June 28

    I have the same issue, but because I'm using multiple SSH keys and I use the IdentityFile option as mentioned in the advanced config (https://developer.1password.com/docs/ssh/agent/advanced) to select a specific key to each server, I cannot use the snippet mentioned earlier in this thread because that gives me the error from the openssh agent:

    Load key "<mykey>.pub": invalid format
    

    Both the IdentityFile and the IdentityAgent options support environment variables, so I could create a mapping to set the IdentityFile for each host using env vars, and set it to an empty string if connecting over SSH, but with more than 50 entries in my ssh config and a separate key for each host, this makes my profile settings and ssh_config overly complex.

    Is there anyone that found a better solution to work around this?

  • mjaklmjakl
    Community Member

    I specify the forwarded agent explicitly when I need it (which is correctly set in the $SSH_AGENT_SOCK environment variable):

    ssh -o IdentityAgent=$SSH_AUTH_SOCK your.host.name
    

    For git, this would be (solving the OPs question):

    GIT_SSH_COMMAND="ssh -o IdentityAgent=$SSH_AUTH_SOCK" git push
    

    Background: The agent forwarding works fine, but the IdentityAgent setting in .ssh/config takes precedence over the SSH_AUTH_SOCK environment variable set by ssh. It seems to be possible to use environment variables in the .ssh/config file as well (specifically for the IdentityAgent setting), but I believe this won't work for non-terminal applications.

    It's not perfect, but works for me.

    HTH

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file