Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

smfelsher's avatar
smfelsher
Occasional Contributor
9 months ago

VSCode dev container and SSH

I am trying to use my SSH keys, which are stored in 1Password, in a dev container launched within VSCode.

Here is my ~/.ssh/config

```

Gitlab

Host gitlab.com
HostName gitlab.com
User git
IdentityAgent ~/.1password/agent.sock
ForwardAgent yes
IdentityFile ~/.ssh/gitlab.com.pub
UserKnownHostsFile ~/.ssh/known_hosts_gitlab
IdentitiesOnly yes

A second key for GitLab for work projects.

Host gitlab.edgeovens.com
HostName gitlab.com
User git
IdentityAgent ~/.1password/agent.sock
ForwardAgent yes
IdentityFile ~/.ssh/gitlab.edgeovens.com.pub
UserKnownHostsFile ~/.ssh/known_hosts_gitlab_edgeovens
IdentitiesOnly yes
```

As you can see, I'm using the public key as the identity file according to these instructions

1Password is configured as my SSH agent in the Linux desktop app.

I am setting the SSH_AUTH_SOCK environment variable before launching VSCode. Once I demonstrate that this works with a dev container, I will put this in my .zshrc file.

sh
SSH_AUTH_SOCK="$HOME/.1password/agent.sock" code ~/sandboxes/serial-data-acquisition/

I am mapping my local .ssh directory into the dev container; so my config and public SSH key files are visible.

When I run the command ssh-add -l, I see my SSH keys listed, so it seems that the SSH_AUTH_SOCK is working.


256 SHA256:AVz... gitlab.edgeovens.com (ED25519)
256 SHA256:PsD... gitlab.com (ED25519)

However, when I try to perform a git action, I receive the following error:

```sh
$ git clone git@gitlab.com:smfelsher/dotfiles.git
Cloning into 'dotfiles'...
Load key "/home/node/.ssh/gitlab.com.pub": error in libcrypto
git@gitlab.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
```

Using 1Password as my SSH agent outside of a dev container works, so I know my setup with the public keys is valid. For example, I can clone that same dotfiles repository on my local host without issue.

Is there an issue with 1Password as an SSH agent in a dev container with public keys? Has anyone else been successful with this type of configuration?


1Password Version: 8.10.33
Extension Version: Not Provided
OS Version: Linux Manjaro
Browser: Not Provided

  • smfelsher's avatar
    smfelsher
    Occasional Contributor

    So it appears that ssh will use the IdentityAgent property from the ~/.ssh/config file before it uses the SSH_AUTH_SOCK environment variable. Git started working in the dev container once I disabled the IdentityAgent in the config file.

    Another solution is to bind ~/.1password/agent.sock into the container. This will satisfy the IdentityAgent locally and in the container.

  • smfelsher's avatar
    smfelsher
    Occasional Contributor

    From man ssh:

    IdentityAgent

    Specifies the Unix-domain socket used to communicate with the authentication agent.

    This option overrides the SSH_AUTH_SOCK environment variable and can be used to select a specific agent. Setting the socket name to none disables the use of an authentication agent. If the string "SSH_AUTH_SOCK" is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable. Otherwise if the specified value begins with a ‘$’ character, then it will be treated as an environment variable containing the location of the socket.

    Arguments to IdentityAgent may use the tilde syntax to refer to a user's home directory, the tokens described in the “TOKENS” section and environment variables as described in the “ENVIRONMENT VARIABLES” section.

    So, to make this work both locally and in a dev container:
    1. export the SSH_AUTH_SOCK in your shell's config file (.bashrc, .zshrc, etc.).
    2. Use IdentifyAgent SSH_AUTH_SOCK in the ~/.ssh/config file

  • Hi smfelsher,

    I've been trying to resolve a similar issue, however, my setup is a little different.

    My host OS is Windows and I use WSL2 for some coding. In VS Code in Windows and VS Code in WSL2, signing my commits with a key from 1Password works beautifully.

    However, when I launch a devcontainer from WSL2, something's not working.

    I am trying to see how your solution might help me resolve my issue, but I am not sure how to do it.

    $SSH_AUTH_SOCK in WSL2 is empty.
    $SSH_AUTH_SOCK in the devcontainer in WSL2 contains a socket referencing

    ssh-add -l in WSL2 returns an error: Could not open a connection to your authentication agent.

    ssh-add -l in the devcontainer in WSL returns the same list of keys as on the Windows host OS (so at least something seems to work...).

    I would appreciate any ideas you might have.

    PS: In your latest reply, in step 2, I think you mean IdentityAgent instead of IdentifyAgent?

  • smfelsher's avatar
    smfelsher
    Occasional Contributor

    Speedbird186 ,

    Yes, it should be IdentityAgent!

    Regarding your problem.

    I think this will only work in a Dev Container by using the SSH_AUTH_SOCK environment variable. So, export SSH_AUTH_SOCK in your shell configuration file for WSL. If you're using bash, then in .bashrc put the following: export SSH_AUTH_SOCK="$HOME/.1password/agent.sock".

    Now, launch VSCode, but before you start your dev container, see if your VSCode environment is seeing SSH_AUTH_SOCK. Open the integrated terminal in VSCode and see that SSH_AUTH_SOCK is set. If SSH_AUTH_SOCK is not set, you need to figure out how to set it before you launch your dev container. I believe VSCode will map the host SSH_AUTH_SOCK to a socket file in the container.

    Oh, and one other thing that I forgot in my previous post! I have mapped my host ~/.ssh directory into the container. Here is a snippet from my devcontainer.json.

    ```json
    "mounts": [
    // Bind mount the developer's SSH directory to allow using SSH keys for
    // GitLab. The target must be the home directory of the non-root user of the
    // container.
    {
    "source": "${localEnv:HOME}/.ssh",
    "target": "/home/node/.ssh",
    "type": "bind"
    }
    ]

    ```

    I'm using a Node image and the non-root user, node, in the container, so I'm mapping my .ssh directory into the container user's home directory.

    So,

    • Your SSH config and keys must be mapped into the dev container, like on your host.
    • VSCode will map the local SSH_AUTH_SOCK into the container if VSCode sees that SSH_AUTH_SOCK is set.
      • Unless you have changed any of the Remote SSH settings in VSCode.

    Let me know if I can help you further or if you figure it out!