SSH Agent Offers Local Key

kaelri
kaelri
Community Member

Hello! I’m trying to get started using 1Password SSH agent. It looks like I’ve done everything right, but I can’t get the agent to actually offer my key when connecting to a server.

Running ssh-add -l shows the key that I added to my Personal vault. (I know that’s coming from 1Password because it has the label name that only exists there, and if I quit 1Password, I just get "Error connecting to agent.")

But then, running ssh -T [email protected] gives me "Permission denied (publickey)." Adding -v shows me that the key in 1Password is never offered. It starts looking for local key files (id_rsa, etc.) and then fails when none are found.

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/kaelri/.ssh/id_rsa
debug1: Trying private key: /Users/kaelri/.ssh/id_dsa
debug1: Trying private key: /Users/kaelri/.ssh/id_ecdsa
debug1: Trying private key: /Users/kaelri/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/kaelri/.ssh/id_ed25519
debug1: Trying private key: /Users/kaelri/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/kaelri/.ssh/id_xmss
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).

One other weird symptom: if I re-save my original key file at ~/.ssh/id_rsa, it works. I get the biometric authentication prompt ("'1Password' is trying to allow '[app]' to use the key '[key]'"), and then it connects. If I save a different key as "id_rsa", it simply fails; I don’t even get the authentication prompt. So it seems like the 1Pass agent is able to detect when "id_rsa" matches a key in my vault, and then makes me authenticate before I can use it. Which is great. But that doesn’t seem like the expected behavior here. Isn’t the point of having my key in 1Pass that I don’t need to have it exposed in a file as well? (Please correct me if I’m wrong!)

Additional info:

  • My ssh -V shows "OpenSSH_8.6p1, LibreSSL 3.3.6."
  • My .zshrc includes export SSH_AUTH_SOCK=~/.1password/agent.sock. Running ls -l $SSH_AUTH_SOCK shows that the file is correctly symlinked to ~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock.
  • My ~/.ssh/config file is pretty sparse (see below).
Host *
    IdentitiesOnly yes
    IdentityAgent "~/.1password/agent.sock"

Happy to provide any other info that may help!


1Password Version: 8.8.0
Extension Version: Not Provided
OS Version: macOS Monterey 12.5
Browser:_ Not Provided

Comments

  • kaelri
    kaelri
    Community Member

    So, naturally, I found the solution 5 minutes after posting this thread. I was mistaken when I enabled IdentitiesOnly for all hosts. That was preventing ssh from using the non-file keys offered by the agent (which is of course exactly what it’s supposed to do). Removed that line from ~/.ssh/config and now it works like a charm.

    I’ll leave this up for any unfortunate souls who made the same mistake. :)

This discussion has been closed.