SSH client not attempting keys returned from 1Password agent

adamrothman
adamrothman
Community Member

I have 2 computers, both running 1Password 8.9.8 on macOS 13 (Ventura). Both are logged into the same 1Password account and running the 1Password SSH agent. I have added the following 4 SSH keys to 1Password, which the agent reflects:

$ env | grep SSH     
SSH_AUTH_SOCK=/Users/adam/.1password/agent.sock

$ ssh-add -l
256 SHA256:eum8cgSeUH7RHKAltGdQIIRoZN8ly4Dm40Q0oKQjFw0 <redacted> (ED25519)
256 SHA256:NdEgj6UoJSWQrg82ueeHfWZxfzJmEAzbgUljZwQvShU <redacted> (ED25519)
256 SHA256:wyCOVP0JcH6DP9VuYdGUR+NW1Urxa3KapWSpX+mJ544 <redacted> (ED25519)
256 SHA256:mBCy6QPwWESMv3ugDluj7IMMmaMQ+iLO8vlPyeEL6PI <redacted> (ED25519)

The second key SHA256:NdEgj6UoJSWQrg82ueeHfWZxfzJmEAzbgUljZwQvShU is attached to my GitHub account.

On the first computer, the 1Password SSH agent works as expected. It returns 5 keys (there's another one from a different Vault), SSH attempts each of these, and I'm able to connect:

$ ssh -v -T git@github.com
OpenSSH_9.0p1, LibreSSL 3.3.6
...
debug1: get_agent_identities: agent returned 5 keys
debug1: Will attempt key: /Users/adam.rothman/.ssh/id_ed25519 ED25519 SHA256:ECMfEhvQ50ija9WO4N1Ip64/Jxa46oojpfurc2ZItz0 agent
debug1: Will attempt key: <redacted> ED25519 SHA256:eum8cgSeUH7RHKAltGdQIIRoZN8ly4Dm40Q0oKQjFw0 agent
debug1: Will attempt key: <redacted> ED25519 SHA256:NdEgj6UoJSWQrg82ueeHfWZxfzJmEAzbgUljZwQvShU agent
debug1: Will attempt key: <redacted> ED25519 SHA256:wyCOVP0JcH6DP9VuYdGUR+NW1Urxa3KapWSpX+mJ544 agent
debug1: Will attempt key: <redacted> ED25519 SHA256:mBCy6QPwWESMv3ugDluj7IMMmaMQ+iLO8vlPyeEL6PI agent
debug1: Will attempt key: /Users/adam.rothman/.ssh/id_rsa 
debug1: Will attempt key: /Users/adam.rothman/.ssh/id_ecdsa 
debug1: Will attempt key: /Users/adam.rothman/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /Users/adam.rothman/.ssh/id_ed25519_sk 
debug1: Will attempt key: /Users/adam.rothman/.ssh/id_xmss 
debug1: Will attempt key: /Users/adam.rothman/.ssh/id_dsa
...
debug1: Offering public key: <redacted> ED25519 SHA256:NdEgj6UoJSWQrg82ueeHfWZxfzJmEAzbgUljZwQvShU agent
debug1: Server accepts key: <redacted> ED25519 SHA256:NdEgj6UoJSWQrg82ueeHfWZxfzJmEAzbgUljZwQvShU agent
Authenticated to github.com ([100.64.1.46]:22) using "publickey".
...
Hi adamrothman! You've successfully authenticated, but GitHub does not provide shell access.

On the second computer, the 1Password agent returns the 4 expected keys, but for reasons I don't understand, SSH does not attempting any of them:

$ ssh -v -T git@github.com
OpenSSH_9.0p1, LibreSSL 3.3.6
...
debug1: get_agent_identities: agent returned 4 keys
debug1: Will attempt key: /Users/adam/.ssh/id_rsa 
debug1: Will attempt key: /Users/adam/.ssh/id_ecdsa 
debug1: Will attempt key: /Users/adam/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /Users/adam/.ssh/id_ed25519 
debug1: Will attempt key: /Users/adam/.ssh/id_ed25519_sk 
debug1: Will attempt key: /Users/adam/.ssh/id_xmss 
debug1: Will attempt key: /Users/adam/.ssh/id_dsa
...
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

The SSH configs on these 2 computers are not exactly the same, but I can't figure out what setting(s) might be preventing SSH from attempting the keys offered by the 1Password agent. This issue is not specific to github.com – it happens for all the SSH servers I've tried connecting to.

Thanks in advance for your help.


1Password Version: 8.9.8 (80908009)
Extension Version: N/A
OS Version: macOS Ventura 13.0.1 (22A400)
Browser:_ Chrome

Comments

  • Hi @adamrothman:

    Would you be able to share your SSH config from your second computer? If there's things in your SSH config that you'd rather keep private, you can get in touch with us directly at support+forum@1password.com, and we'll be able to take a look at your config via email instead.

    Jack

  • adamrothman
    adamrothman
    Community Member

    Thanks for getting back to me @Jack.P_1P – I'm traveling through Dec 5 and therefore away from that second computer. I'll post the config when I get back.

  • adamrothman
    adamrothman
    Community Member

    I figured it out! I had the IdentitiesOnly yes option set in my config but had commented out the IdentityFile option under the hosts I was testing with. Updating IdentityFile to point to the public key I wanted to use did the right thing. Thanks for prompting me to check that out @Jack.P_1P!

  • Hi @adamrothman:

    Glad to hear it, you're very welcome! Feel free to get in touch if there's anything else we can help you with.

    Jack

This discussion has been closed.