Better handling of SSH keys

13

Comments

  • wjlyerly
    wjlyerly
    Community Member

    I would love for 1Password to have SSH Agent (https://en.wikipedia.org/wiki/Ssh-agent) capabilities. I’d like to be able to store all my ssh keys in 1Password and have my SSH clients pull keys from it automatically as needed.

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @wjlyerly! Thanks for the suggestion. It's currently not possible for 1Password to do this - as you're aware - but it's something that's been a long (if infrequently)-requested feature. The challenges of this remain the same now as they were then, though that may be changing as we move toward a future where 1Password can interact with other apps rather than just with browsers. We'll keep it in mind as we move forward.

  • ibehr
    ibehr
    Community Member

    Whether 1password can do much with the keys or now, why is it so hard to just create a type for keeping private/public encryption keys securely in my vault.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ibehr: No one said that it's hard. But we're not in a position to create a custom template for every single thing people ask us for (SIM cards, cars, appliances -- all of these are real examples, and it's a long list), and there are already ways to store them in 1Password. I've got mine in a Secure Note. Very handy. :)

  • yourivdlans
    yourivdlans
    Community Member
    edited July 2019

    I'm also in favour of having a native template for SSH keys. Of course you get a lot of requests for new templates which can't all be added.

    But if I look through the current list I wonder if there are more people who would want to add SSH keys or an "Outdoor licence".

    In any case, I'm still very happy using 1password!

  • Lars
    Lars
    1Password Alumni

    @yourivdlans - heh. Point taken. The Outdoor License category in 1Password dates from nearly the very beginning, when 1Password was new and had few users (just like anything new, I guess!). It was an early attempt to demonstrate graphically how 1Password could be used for "real world" (i.e. - non-digital) things besides just Logins and Passwords.

    But even in the very beginning, we knew that the list of things we could create templates for was a vastly longer list than the list of things we probably should create templates for. After all, where do you draw the line? I myself have had requests that we add a dedicated category for (and this is by no means a comprehensive list): insurance forms, car registrations/details, locker combinations, SSH keys, "legal paperwork"...well, you get the idea. I've never had any doubt that each of the people requesting various new Categories within 1Password would indeed use and benefit if we added their particular request. And undoubtedly, so would at least a few other people, for every potential Category. But for most people, such a wide range of choices would be entirely useless -- literally, never used. And it adds to the complexity of 1Password, as each must have its own template and the respective fields must be coded properly; there's design as well as development time required for both the creation and maintenance of each one of these Categories. That's why we didn't initially have dozens of them, and also why we've resisted adding them in subsequent years.

    I won't try to shade the truth here: SSH keys have remained a perennial user request in a way that, say, locker combinations from my above list have not. It's something a lot of more "power" computer users would like/benefit from, for sure. And we've considered it over the years. But in addition to the reasons for not adding additional categories I've just given, in the case of SSH Keys there was the additional dilemma of: how far down that rabbit hole do we want to go? Attempt to become a full-fledged SSH key agent/management solution? Just store them? All of them had their problematic aspects, and behind all of that was the still-true fact that you can always attach SSH keys to any Secure Note. Secure Notes were always intended as a catch-all for anything you wanted to save that didn't have its own dedicated category (like locker combinations or garage door codes!).

    And finally, with the rise of 1password.com accounts in late 2015, we began experimenting with the concept of another perennial request, custom category templates. Right now, if you have a 1Password Business account and you're willing to turn on the beta features, you'll be able to experiment with actually creating your own custom templates. It's still a work in progress (which is why it remains in the beta features section), but it's very much the direction of the future: building a system that, where possible, is flexible enough to allow user customization while not risking data loss or corruption, rather than trying to design templates or categories that will suit all use cases (and inevitably fall short for some users). So while I think it's still not likely we'll be creating a static category for SSH keys any time soon, as the custom category feature becomes more robust and stable, it will likely find its way at least partially into other tiers of 1password.com service (1Password Families, Individual accounts):

    Hope that's helpful! :)

  • yourivdlans
    yourivdlans
    Community Member
    edited July 2019

    @Lars Thank you for the very clear explanation :)

    I completely get that the secure note would suffice for saving your SSH keys, but what I find a very useful feature is being able to copy fields out of an item. Say the passphrase. Using a secure note this would not be possible, the passphrase will also be visible when you open the item.

    For sure, offering the ability to save SSH keys would enable a discussion on where to draw the line feature wise. Personally I'd don't see much added value for more than a good way to store SSH keys.

    Its good to hear a feature for custom templates is in the works! That would solve a lot of the missing category issues for people :)

    For now I've "hijacked" a regular login item to store my SSH key. I use the password field for the passphrase so I can easily copy and conceal it. The public key is a regular field and the private key is a password field.

  • @yourivdlans

    I completely get that the secure note would suffice for saving your SSH keys, but what I find a very useful feature is being able to copy fields out of an item. Say the passphrase. Using a secure note this would not be possible, the passphrase will also be visible when you open the item.

    It is possible to create custom fields on Secure Notes so that you can do as you've described.

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    But if I look through the current list I wonder if there are more people who would want to add SSH keys or an "Outdoor licence".

    @yourivdlans: For the record, I think it's safe to say that Canadians have more outdoor licenses per capita than SSH keys. :lol: But certainly having a whole category in 1Password just for that is a great illustration of why we have no plans to add more at this time. I hope we can find a good way of doing custom categories since that would be even more useful to a wide range of 1Password users. Cheers! :)

  • yourivdlans
    yourivdlans
    Community Member

    @Ben Doh! Good point, thanks!

    @brenty Haha fair. I agree, waiting in anticipation for the custom categories ^^

  • :+1: :)

    Ben

  • MicahZoltu
    MicahZoltu
    Community Member

    Note: Storing an SSH Key in a Secure Note doesn't actually work since newlines are removed from password fields in a secure note. Unless you put the private key and public key in the notes field (which is multiline), in which case the private key is visible by default in 1Password UI and you cannot copy the public or private key independently.

  • Ben
    Ben
    edited July 2019

    @MicahZoltu

    Ah, I didn't think about the fact that password fields are not multiline. Good catch. I don't have a better suggestion right at the moment but we'll continue to evaluate how we can best handle cases like this.

    Edit: In re-reading my above post, it seems I was addressing a customer's question about the 'passphrase' being visible (which is avoidable), so that point does still stand.

    Thanks!

    Ben

  • MicahZoltu
    MicahZoltu
    Community Member

    I would be quite satisfied with the Secret Note solution to SSH keys (and just about all other things I can think to store in 1Password) if the fields were simply multiline. This feels like a simple CSS change (so newline characters aren't stripped during entry), but perhaps there is more to it than that? If all fields were multiline then I could turn Secret Notes into just about anything I could want/think of, including a place to put my SSH keys.

  • Understood. I'm going to suggest to development that we consider adding a new type of field: multiline password. I think it makes sense to keep the default password field as single-line (largely to avoid confusion for customer not looking for multiline).

    Thanks. :)

    Ben

  • MrC
    MrC
    Volunteer Moderator

    My 2 cents.

    I would be great if there were multi-line and multi-line hidden fields. I'm guessing control-o-philes would love to be able to set the various attributes (hidden, multi-line, password-generator-on/off, etc.) for any custom fields.

  • I've filed an issue and made mention of those ideas. :) Thanks!

    Ben

    ref: internal/b5book#988

  • MicahZoltu
    MicahZoltu
    Community Member

    Note that the newlines in SSH Key files are required (technically)! https://crypto.stackexchange.com/a/19055

  • I'd be anal enough to want to retain them anyway, personally, required or not. :)

    Ben

  • al45tair
    al45tair
    Community Member

    +1 There's really no reason the 1Password app couldn't act as an SSH agent. On Windows it would additionally be great if it knew how to talk to PuTTY (which has its own pagent protocol).

  • AGAlumB
    AGAlumB
    1Password Alumni

    The great thing about software is that it can do just about anything...but that requires an investment of time and resources into development, testing, and ongoing support. Our focus is to make the best password manager we can. It's possible we might branch out in the future, but our priority has to be on work in service of that, not trying to replace all the other software out there. :)

  • jdehnert
    jdehnert
    Community Member

    I want to throw my vote in for better (some) management for SSH keys, or just public/private key pairs in general. This is something that I beed a better way to keep track of and secure. I can kludge it into 1Password at the moment, but it's just a kludge. Nothing elegant. Even if it's just the ability to have a field type that is multi-lined and monospaced would be a big improvement.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jdehnert: This is easy to do using Markdown in a Secure Note:

    Just add ``` to the begging and end to make it a code block. Cheers! :)

  • jdehnert
    jdehnert
    Community Member

    Thanks @brently. I have been doing the same, but in the Notes section of a Login. Unfortunately I can't have more than one Notes section so if I want to save my Private key, Public key, and key art in one entry, I need to pile them all up in one note section.

    Can these be handled now? Yes.

    Could these be handled better? Also yes.

    I'm not insisting on any new features. I'm just asking for consideration when you look into what new features you are going to add in the future. SSH and GPG keys are a big part of what I do. It would be nice if 1Password supported them better, because I doubt I'll be changing from 1Password any time soon.

    Some might say that my last comment obviates the need for 1Password to do anything, but I have been a 1Password user for a long time, and I like to think a little loyalty goes both ways.

  • Indeed; I'd love to see more multi-line field support in a future iteration of 1Password. Thanks for weighing in. :+1:

    Ben

  • jdehnert
    jdehnert
    Community Member

    On a related note, does 1Password have a feature voting forum?

    I have seen these on other companies forums where people (or just the company) can request (list) features and the forum-ites can vote on the ones they like/want the most. It's a great way to engage your customers and gauge what to his that people want.

  • Ben
    Ben
    edited September 2019

    We don't. I think such a system may give the wrong impression. While of course the volume of customer feedback we see for any given feature request or issue is an important factor in determining our priorities, it isn't as if we set our schedule based on whatever is currently receiving the highest number of "votes." Additionally most of those types of systems are super easy to game, and as such I don't see us moving in that direction. We'd rather engage through discussion.

    Often times we end up solving a problem in a way other than what someone might've initially anticipated. Understanding the why of a feature request is often much more beneficial than giving too much weight to the suggested how. You don't really gain that through the type of polling you might typically see.

    Ben

  • LindleyWhite
    LindleyWhite
    Community Member

    A helpful tip for those of you struggling with this multi-line copy problem. If you create a new Key/Value section in a secure note you can copy it wholly on iOS to to clipboard. So what I ended up doing is just writing the description of the key in the "Notes" and then putting the rest of the bits in sections.

  • AGAlumB
    AGAlumB
    1Password Alumni

    That's certainly one way of doing it. Thanks for sharing! :)

  • trailstrider
    trailstrider
    Community Member

    +1 for SSH Key handling, +1,000,000,000 for doing it with key agent support (a custom 1password key agent would be fine) so that it's easy to use multiple private/public keypairs easily. Bonus for being able to have a process for appending a public key to a particular machine's authorized_keys file for the user with a single interactive login.

This discussion has been closed.