Feature Request: SSH Agent improvements

Options
rellek
rellek
Community Member
edited January 8 in SSH

Hi,

I was a little confused about the SSH Agent and the limit to 6 keys. So I submitted a support request #202069 which led me to here to lay out my ideas on how to vastly improve SSH workflows with 1Password.

It's gonna be quite some text, so please bear with me.

To make one thing crystal clear: When it works, it's awesome!

However, when it doesn't, it gets confusing. Let me explain.

I am using a password manager to have as little to do as possible with login credentials of any sort. And it works ... "well enough" as long as you have less than 6 certificates to manage.
But then you will run into this SSH limit because 1Password "bruteforces" all certificates until one works. The workaround, which is documented in the manual, is to export the public key and edit ~/.ssh/config and "register" the hosts, with the public key, and tell SSH to only use keys.

And I disagree with this workflow. Because I am using a password manager so I #don't# have to handle credentials.

So I would suggest that 1Password generates the config file (and handles everything that's attached to that) for me.

My idea would be: When creating or editing an SSH key, give me the opportunity to add context for 1Password (and also for me! Like I know where those keys are used "today", but will I in 5 years as well? I mean sure, give them meaningful names, or add notes - but honestly, is the majority of users that organized? I certainly would not be). Give me a field what it's used for - say a hostname. So I can say, THIS certificate is for srv1.example.com (bonus points if I could also specify the port). And maybe a "nickname", so I don't have to enter
$ ssh username@srv.example.com
but
$ ssh username@dev

Which literally is just one more name in the "Host" line of ~/.ssh/config.

And when you are at it, also the desired username. That way, all I have to enter is
$ ssh dev

And it connects to srv.example.com - at the desired port - with "username" as the user.

1Password would automatically export the public key and generate this file (or, WordPress-style, add its stuff to it if there is already non-conflicting configuration), and keep everything in sync.

Because THAT is the point of my idea. Keeping the keys in sync.

That way, you could also solve the issue you stated in the docs of having a private and a company GitHub account with a nice UI. Make 2 keys, host is github.com, nickname is "personalgit" for one and "workgit" for the other - and boom, 1Password does it all for you.

Well and if you don't fill out the metas, everything remains as it is now. For example when you need a key pair for something else that won't use SSH. (Not that I had an example for this tho, but I'm sure there are use-cases where a key pair is needed)

(Also, I'd like an UI for which vaults to consider for SSH keys, but that's another topic)

YES. I #am# aware that this is mostly a one-time configuration thing. But, that one time sucks in my opinion, especially if you are just getting into this, be it because you just started using keys or because you migrate your keys to 1Password... However, if you use multiple computers - say an iMac on your desk and a MacBook on the go, it sure would be nice to have the peace of mind that 1Password has you covered, no matter what.

--

Sorry for the wall of text. But I think that would be really useful improvements to the SSH agent.

If you made it to here, thank you. And also thank you for at least considering it :)

1Password Version: 8.10.23
Extension Version: 2.19.0
OS Version: macOS 14.2.1
Browser: Chrome