Improvements for handling SSH keys using 1P as SSH agent
Recently I played around more with SSH keys and I'm currently storing them inside 1Password for Windows. I'm using the Windows ssh client to connect to target servers as well as putty.
The problem for me is that I have more than six keys stored in 1Password (https://developer.1password.com/docs/ssh/agent/advanced#ssh-server-six-key-limit). So every time I want to connect to a system with my newest key, I'm only getting the dreaded "Too many authentication failures".
I wish for a better way to handle this other than either having to maintain a .ssh/config file and download keys onto the filesystem, which kind of defeats the purpose of having all my keys in 1Password.
Of course I could archive the keys I don't want the agent to offer and later un-archive them or I could move the keys out of my private vault and only move them back in when needed. But this is also kind of meh.
I don't know how much 1P can do about the ssh agent, e.g. allow the user to sort in which order the keys are offered to the SSH server. The easiest way would be that only the right key would be offered for the right server, e.g. when you add a target IP/hostname in the SSK key item.
If that's not possible, how about 1P would handle management of the .ssh/config file for me? This would mean, write download keys etc. as described as a manual process here: https://developer.1password.com/docs/ssh/agent/advanced/#use-multiple-github-accounts
Are there already existing options I'm missing? How do others with more than six SSH keys handle this?
1Password Version: 8.9.0 (80904006)
Extension Version: Not Provided
OS Version: Windows 10
Browser:_ Not Provided
Comments
-
There's one more possible solution that I've been looking at for the last few days (since starting to use 1P as an ssh-agent):
Implement the SSH agent restrictions added in OpenSSH 8.9 at the beginning of this year.
https://lwn.net/Articles/880458/
https://www.openssh.com/agent-restrict.htmlAll it would need (from a user's perspective) is an optional Host/Host Chain setting (for use with ProxyJump/etc.) in the SSH key data.
It does, however, need an updated sshd that you're connecting to for the protocol extensions to function.
0 -
I am also currently struggling with this exact problem.
All of the "download the key and specify it in your config" instructions are definitely very meh, totally agree.
I've reached out to our onboarding rep to see if they have any advice. Surely people have more than 6 keys, I'm not sure I'd bother setting up the SSH Agent if i only had 1 key to deal with.
0