Any way to access to 1P SSH Agent on a Headless remote, if local agent can't be forwarded?

codear
codear
Community Member
edited June 2023 in SSH

Hey all!

I've been using 1password for some time now, and working in the software industry I really want to begin by stressing out this software is mighty impressive!

I would like to ask for a bit of help though. I know there's a 1P CLI integration available on OSX and Linux machines that I work with frequently, however this seems to work only after i sign in to UI, and.. well there is a certain flow i can't sort out.

My org manages SSH for accessing some remote workstations - and that's fine. My .ssh/config can list appropriate IdentityAgent for any of these workstations, while other entries (say, GitHub, or computers within my local network) can use 1Password as an IdentityAgent.

The problem comes once I am on a remote machine, which requires an agent other than 1password to be accessed: 1password is essentially inaccessible there, and so are all the SSH keys I keep there. So I can't, say, access Github any more.

I wonder if it is (or could be made) possible to start 1password on a remote machine without actually starting all the UI; is this something the op command could (at some point) do?

I understand this might be a delicate matter -- with UI "nothing happens without user's knowledge". Curious if that could be the reason (assuming this is not a supported flow)..

thank you for the fantastic product and a great support!

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • floris_1P
    floris_1P
    edited June 2023

    Glad you're liking the product! As for the use case you're describing, OpenSSH actually has a solution for this built in to their tooling, called SSH agent forwarding. You can enable it on a per-host basis in your local ~/.ssh/config file:

    Host myserver
  ForwardAgent yes

    If you then connect to myserver and run ssh-add -l, you should see all your keys from 1Password. And if you then run, say, git fetch on the remote host, you'll get prompted by your local 1Password app!

    One important note on agent forwarding: After approving a prompt, any SSH command ran as the same OS user on that host during your SSH connection will be able to use the key you've approved, so make sure you only enable SSH agent forwarding for trusted hosts.

This discussion has been closed.