Currently, the 1Password SSH agent only works with keys in the Personal or Private vaults. It would be great to expand this feature to work for shared vaults. That would be very helpful for development teams, particularly, to prevent everyone in the team from adding the private keys to their machines which is less safe and makes rotation troublesome. 1Password Version: 1Password 8.7.0 Extension Version: Not Provided OS Version: MacOS 12.3

clowa the feature was released to stable with version 8.10.8 (released yesterday) and is documented here: https://developer.1password.com/docs/ssh/agent/config/

We're working on a way to opt in to using keys from other vaults. If we'd offer such a mechanism, would you prefer an opt in per vault or per individual key?

I'd really like this, too. I finally got a chance to check out the new ssh functionality and ended up bailing out when I ran into this limitation. In all of my accounts -- a mix of multiple family accounts and a business account -- we don't use the personal vaults at all. On the family side, my spouse and I need access to each other's and our kids' and elderly relatives' complete collections, while at work, we want to be able to access a former employee's items without going through the fuss of doing an email-based password reset. (For more about this, see this discussion, this one, and this one.) Thus, this feature is basically unusable to me right now. I'm playing around with somehow hooking things up with the op command, but I'm not sure it's worth the effort. As for the opt-in, I'd definitely prefer per-key. Especially in a team setting, I can envision a number of scenarios where one has a bunch of shared keys in various vaults, most/all of which can't be relocated to other vaults, so having to opt-in all those vaults would mean potentially checking many more keys. That often would force you to go the trouble of downloading the public keys and linking them up in the config file, or at least living with a slower auth process. That said, it'd be nice to also get vault-level opt-in at some later date :-).

Any updates on this? Such as whether it's on the near-term radar yet, or if it's still at the discussion phase? I love the feature, but it's totally useless to me being tied to the Private/Personal vault. I also have a project at work for the devops team to distribute managed keys to the engineers via 1P like we do for some passwords, but it's on hold because of this limitation.

We're working on it, but cannot share any specifics related to the timeline of this project.

Feature request: Make the SSH agent work with any vault

1P_Tommy
Moderator
2 years ago
Thanks matteocontrini for that assist.
matteocontrini
Occasional Contributor
2 years ago
clowa the feature was released to stable with version 8.10.8 (released yesterday) and is documented here: https://developer.1password.com/docs/ssh/agent/config/
clowa
New Contributor
2 years ago
Hi floris_1P, so sorry, totally misted your great news. Unfortunately I don't use slack, any other option to still get the instructions on how to use this feature? Or is this the price I have to pay :D
Former Member
2 years ago
Hi @Johana24, thanks for your interest! You can join the #ssh-agent-config channel in our Slack workspace to see the latest updates and instructions on how to try out the feature in the Nightly release. We'd love to hear your feedback!
Former Member
2 years ago
Thanks, I am really interested, any update?
lantrix
New Contributor
2 years ago
Thanks. Still interested, will join that channel.
Former Member
2 years ago
floris_1P, great news. Glad to hear that.
floris_1P
1Password Team
2 years ago
@ismael092 BobW @zfreeds @1Jeff @JustSomeNobody @TinTheParkin @nowayswiveltyro wojo @gparera @Raggaer clowa lantrix

I wanted to let you know that we're currently working on a solution that allows for the following:
- Enable keys from other vaults than the Private vault.
- Create isolated setups with certain keys offered on a separate socket.
- Control the order in which keys are offered to SSH servers.

It would be great to get your feedback on our proposal, if you're (still) interested. You can do so by joining the #ssh-agent-config channel in our Slack workspace.
lantrix
New Contributor
2 years ago
Same here. The SSH agent has been a game changer, especially for my work account. But having to duplicate the teams SSH key into private makes it onerous. Great to see you're working on it.
Jack_P_1P
1Password Team
3 years ago
Hi clowa:

Thanks for sharing, and glad to hear you like 1Password SSH Agent so far! 🙂

Jack