SSH client not attempting keys returned from 1Password agent
I have 2 computers, both running 1Password 8.9.8 on macOS 13 (Ventura). Both are logged into the same 1Password account and running the 1Password SSH agent. I have added the following 4 SSH keys to 1Password, which the agent reflects:
$ env | grep SSH SSH_AUTH_SOCK=/Users/adam/.1password/agent.sock $ ssh-add -l 256 SHA256:eum8cgSeUH7RHKAltGdQIIRoZN8ly4Dm40Q0oKQjFw0 <redacted> (ED25519) 256 SHA256:NdEgj6UoJSWQrg82ueeHfWZxfzJmEAzbgUljZwQvShU <redacted> (ED25519) 256 SHA256:wyCOVP0JcH6DP9VuYdGUR+NW1Urxa3KapWSpX+mJ544 <redacted> (ED25519) 256 SHA256:mBCy6QPwWESMv3ugDluj7IMMmaMQ+iLO8vlPyeEL6PI <redacted> (ED25519)
The second key SHA256:NdEgj6UoJSWQrg82ueeHfWZxfzJmEAzbgUljZwQvShU
is attached to my GitHub account.
On the first computer, the 1Password SSH agent works as expected. It returns 5 keys (there's another one from a different Vault), SSH attempts each of these, and I'm able to connect:
$ ssh -v -T git@github.com OpenSSH_9.0p1, LibreSSL 3.3.6 ... debug1: get_agent_identities: agent returned 5 keys debug1: Will attempt key: /Users/adam.rothman/.ssh/id_ed25519 ED25519 SHA256:ECMfEhvQ50ija9WO4N1Ip64/Jxa46oojpfurc2ZItz0 agent debug1: Will attempt key: <redacted> ED25519 SHA256:eum8cgSeUH7RHKAltGdQIIRoZN8ly4Dm40Q0oKQjFw0 agent debug1: Will attempt key: <redacted> ED25519 SHA256:NdEgj6UoJSWQrg82ueeHfWZxfzJmEAzbgUljZwQvShU agent debug1: Will attempt key: <redacted> ED25519 SHA256:wyCOVP0JcH6DP9VuYdGUR+NW1Urxa3KapWSpX+mJ544 agent debug1: Will attempt key: <redacted> ED25519 SHA256:mBCy6QPwWESMv3ugDluj7IMMmaMQ+iLO8vlPyeEL6PI agent debug1: Will attempt key: /Users/adam.rothman/.ssh/id_rsa debug1: Will attempt key: /Users/adam.rothman/.ssh/id_ecdsa debug1: Will attempt key: /Users/adam.rothman/.ssh/id_ecdsa_sk debug1: Will attempt key: /Users/adam.rothman/.ssh/id_ed25519_sk debug1: Will attempt key: /Users/adam.rothman/.ssh/id_xmss debug1: Will attempt key: /Users/adam.rothman/.ssh/id_dsa ... debug1: Offering public key: <redacted> ED25519 SHA256:NdEgj6UoJSWQrg82ueeHfWZxfzJmEAzbgUljZwQvShU agent debug1: Server accepts key: <redacted> ED25519 SHA256:NdEgj6UoJSWQrg82ueeHfWZxfzJmEAzbgUljZwQvShU agent Authenticated to github.com ([100.64.1.46]:22) using "publickey". ... Hi adamrothman! You've successfully authenticated, but GitHub does not provide shell access.
On the second computer, the 1Password agent returns the 4 expected keys, but for reasons I don't understand, SSH does not attempting any of them:
$ ssh -v -T git@github.com OpenSSH_9.0p1, LibreSSL 3.3.6 ... debug1: get_agent_identities: agent returned 4 keys debug1: Will attempt key: /Users/adam/.ssh/id_rsa debug1: Will attempt key: /Users/adam/.ssh/id_ecdsa debug1: Will attempt key: /Users/adam/.ssh/id_ecdsa_sk debug1: Will attempt key: /Users/adam/.ssh/id_ed25519 debug1: Will attempt key: /Users/adam/.ssh/id_ed25519_sk debug1: Will attempt key: /Users/adam/.ssh/id_xmss debug1: Will attempt key: /Users/adam/.ssh/id_dsa ... debug1: No more authentication methods to try. git@github.com: Permission denied (publickey).
The SSH configs on these 2 computers are not exactly the same, but I can't figure out what setting(s) might be preventing SSH from attempting the keys offered by the 1Password agent. This issue is not specific to github.com – it happens for all the SSH servers I've tried connecting to.
Thanks in advance for your help.
1Password Version: 8.9.8 (80908009)
Extension Version: N/A
OS Version: macOS Ventura 13.0.1 (22A400)
Browser:_ Chrome
Comments
-
Hi @adamrothman:
Would you be able to share your SSH config from your second computer? If there's things in your SSH config that you'd rather keep private, you can get in touch with us directly at
support+forum@1password.com
, and we'll be able to take a look at your config via email instead.Jack
0 -
Thanks for getting back to me @Jack.P_1P – I'm traveling through Dec 5 and therefore away from that second computer. I'll post the config when I get back.
0 -
I figured it out! I had the
IdentitiesOnly yes
option set in my config but had commented out theIdentityFile
option under the hosts I was testing with. Updating IdentityFile to point to the public key I wanted to use did the right thing. Thanks for prompting me to check that out @Jack.P_1P!0 -
Hi @adamrothman:
Glad to hear it, you're very welcome! Feel free to get in touch if there's anything else we can help you with.
Jack
0