VSCode dev container and SSH
I am trying to use my SSH keys, which are stored in 1Password, in a dev container launched within VSCode.
Here is my ~/.ssh/config
# Gitlab
Host gitlab.com
HostName gitlab.com
User git
IdentityAgent ~/.1password/agent.sock
ForwardAgent yes
IdentityFile ~/.ssh/gitlab.com.pub
UserKnownHostsFile ~/.ssh/known_hosts_gitlab
IdentitiesOnly yes
# A second key for GitLab for work projects.
Host gitlab.edgeovens.com
HostName gitlab.com
User git
IdentityAgent ~/.1password/agent.sock
ForwardAgent yes
IdentityFile ~/.ssh/gitlab.edgeovens.com.pub
UserKnownHostsFile ~/.ssh/known_hosts_gitlab_edgeovens
IdentitiesOnly yes
As you can see, I'm using the public key as the identity file according to these instructions
1Password is configured as my SSH agent in the Linux desktop app.
I am setting the SSH_AUTH_SOCK environment variable before launching VSCode. Once I demonstrate that this works with a dev container, I will put this in my .zshrc file.
SSH_AUTH_SOCK="$HOME/.1password/agent.sock" code ~/sandboxes/serial-data-acquisition/
I am mapping my local .ssh directory into the dev container; so my config and public SSH key files are visible.
When I run the command ssh-add -l, I see my SSH keys listed, so it seems that the SSH_AUTH_SOCK is working.
256 SHA256:AVz... gitlab.edgeovens.com (ED25519) 256 SHA256:PsD... gitlab.com (ED25519)
However, when I try to perform a git action, I receive the following error:
$ git clone git@gitlab.com:smfelsher/dotfiles.git Cloning into 'dotfiles'... Load key "/home/node/.ssh/gitlab.com.pub": error in libcrypto git@gitlab.com: Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
Using 1Password as my SSH agent outside of a dev container works, so I know my setup with the public keys is valid. For example, I can clone that same dotfiles repository on my local host without issue.
Is there an issue with 1Password as an SSH agent in a dev container with public keys? Has anyone else been successful with this type of configuration?
1Password Version: 8.10.33
Extension Version: Not Provided
OS Version: Linux Manjaro
Browser: Not Provided
Comments
-
So it appears that
sshwill use theIdentityAgentproperty from the~/.ssh/configfile before it uses theSSH_AUTH_SOCKenvironment variable. Git started working in the dev container once I disabled the IdentityAgent in the config file.Another solution is to bind
~/.1password/agent.sockinto the container. This will satisfy the IdentityAgent locally and in the container.1 -
From
man ssh:IdentityAgent
Specifies the Unix-domain socket used to communicate with the authentication agent.
This option overrides the SSH_AUTH_SOCK environment variable and can be used to select a specific agent. Setting the socket name to none disables the use of an authentication agent. If the string "SSH_AUTH_SOCK" is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable. Otherwise if the specified value begins with a ‘$’ character, then it will be treated as an environment variable containing the location of the socket.
Arguments to IdentityAgent may use the tilde syntax to refer to a user's home directory, the tokens described in the “TOKENS” section and environment variables as described in the “ENVIRONMENT VARIABLES” section.
So, to make this work both locally and in a dev container:
1. export theSSH_AUTH_SOCKin your shell's config file (.bashrc,.zshrc, etc.).
2. UseIdentifyAgent SSH_AUTH_SOCKin the~/.ssh/configfile1 -
Hi @smfelsher,
I've been trying to resolve a similar issue, however, my setup is a little different.
My host OS is Windows and I use WSL2 for some coding. In VS Code in Windows and VS Code in WSL2, signing my commits with a key from 1Password works beautifully.
However, when I launch a devcontainer from WSL2, something's not working.
I am trying to see how your solution might help me resolve my issue, but I am not sure how to do it.
$SSH_AUTH_SOCKin WSL2 is empty.$SSH_AUTH_SOCKin the devcontainer in WSL2 contains a socket referencingssh-add -lin WSL2 returns an error:Could not open a connection to your authentication agent.ssh-add -lin the devcontainer in WSL returns the same list of keys as on the Windows host OS (so at least something seems to work...).I would appreciate any ideas you might have.
PS: In your latest reply, in step 2, I think you mean
IdentityAgentinstead ofIdentifyAgent?0 -
Yes, it should be
IdentityAgent!Regarding your problem.
I think this will only work in a Dev Container by using the SSH_AUTH_SOCK environment variable. So, export SSH_AUTH_SOCK in your shell configuration file for WSL. If you're using
bash, then in.bashrcput the following:export SSH_AUTH_SOCK="$HOME/.1password/agent.sock".Now, launch VSCode, but before you start your dev container, see if your VSCode environment is seeing SSH_AUTH_SOCK. Open the integrated terminal in VSCode and see that SSH_AUTH_SOCK is set. If SSH_AUTH_SOCK is not set, you need to figure out how to set it before you launch your dev container. I believe VSCode will map the host SSH_AUTH_SOCK to a socket file in the container.
Oh, and one other thing that I forgot in my previous post! I have mapped my host
~/.sshdirectory into the container. Here is a snippet from mydevcontainer.json."mounts": [ // Bind mount the developer's SSH directory to allow using SSH keys for // GitLab. The target must be the home directory of the non-root user of the // container. { "source": "${localEnv:HOME}/.ssh", "target": "/home/node/.ssh", "type": "bind" } ]I'm using a Node image and the non-root user,
node, in the container, so I'm mapping my.sshdirectory into the container user's home directory.So,
- Your SSH config and keys must be mapped into the dev container, like on your host.
- VSCode will map the local SSH_AUTH_SOCK into the container if VSCode sees that SSH_AUTH_SOCK is set.
- Unless you have changed any of the Remote SSH settings in VSCode.
Let me know if I can help you further or if you figure it out!
0
