SSH Feature questions

rctneil
rctneil
Community Member
edited May 2022 in SSH

Hi,

Just some quick questions about the new SSH feature.

  1. I'm assuming that the SSH keys are synced between your machines etc?

  2. Is it possible to import existing keys from multiple machines into 1Password?

  3. If I had my keys stored in 1Password and I was setting up a brand new machine, i'm assuming all I would need to do is set up 1Password and i'd be good to go right?

  4. If I do use 1Password's SSH features, do the keys still show up in my Mac's .ssh directory?

  5. Once the keys are in 1Password, do I need to remove from from the .ssh directory?

I have had a glance at the dev documentation but would like just a little more info. I've not enabled the feature yet though but really excited to!

Thanks,
Neil


1Password Version: 8.6
Extension Version: Not Provided
OS Version: MacOS 12

«1

Comments

  • eberkund
    eberkund
    Community Member

    From what I can see you would no longer have SSH keys in .ssh, instead your authentication would be piped through 1Password's SSH agent.

  • rctneil
    rctneil
    Community Member

    Ok,

    Just configured this and imported a key. I've enabled the Agent and added the appropriate lines to my config file.

    When I run ssh-add -l, I just get "The agent has no identities.".

    Any ideas how to solve this?

    1. Correct, the SSH Key item works like any other 1Password item in that sense

    2. Yes, you can use the import functionality for that.

    3. Almost. You would need to turn on the SSH agent in the 1Password preferences on each device, because that setting is local (by design!) and you'll need to make sure your SSH config points to the 1Password agent socket.

    4. Nope! The private keys never leave the 1Password process.

    5. They're not needed anymore by then. We don't automatically remove the private keys from your ~/.ssh directory after importing, so you can do that yourself whenever you're comfortable.

  • And about ssh-add -l: that only works when SSH_AUTH_SOCK is set.

  • rctneil
    rctneil
    Community Member

    @floris_1P Thanks for those answers.

    In regards to ssh-add -l. Your documentation says to add a line to the config file OR set the environment variable.

    Theres nothing that states that to use the above command I have to use the environment variable?

    How do I see all the keys in the agent then? without the env var being set?

    I'm confused!

  • Tertius3
    Tertius3
    Community Member

    ssh-add -l works in a remote ssh session only, if you activate agent forwarding. Parameter -A for ssh or ~/.ssh/config option.

  • rctneil
    rctneil
    Community Member

    @Tertius3 I'm sorry, I don;t quite understand this. Why do the docs say OR then?

  • Tertius3
    Tertius3
    Community Member
    edited February 2022

    You didn't write if you checked ssh-add -l locally or remotely. Locally it works right away and you need to make sure the documented environment variables exist. In remote ssh sessions, the ssh client automatically creates the environment variables, if agent forwarding is enabled.
    However, this is no 1Password specific setting. It's how the ssh client works in general.

  • rctneil
    rctneil
    Community Member
    edited February 2022

    @Tertius3 I'm running that locally on my machine and no entries are found.

    The docs say I need to do one thing OR another, not both. If I add the appropriate line to my config file, then, according to the docs, I don't need to add an Env var.

  • ssh-add does not work with IdentityAgent, so you have to use the SSH_AUTH_SOCK environment variable there.

    We're working on a docs page that lists compatibility for SSH clients/tools with certain features, which should give more clarity on this subject.

  • kevinneufeld
    kevinneufeld
    Community Member

    I followed the instruction as well, but cannot get it to work. Imported my key, moved it out of .ssh and added export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock to my shell and I get the following error.

    Thu 24 10:39pm in ~
    •100% ▶ ssh -T git@gitlab.com
    git@gitlab.com: Permission denied (publickey,keyboard-interactive).
    
  • kevinneufeld
    kevinneufeld
    Community Member

    I followed the instruction as well, but cannot get it to work. Imported my key, moved it out of .ssh and added export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock to my shell and I get the following error.

    Thu 24 10:39pm in ~
    •100% ▶ ssh -T git@gitlab.com
    git@gitlab.com: Permission denied (publickey,keyboard-interactive).
    
  • @kevinneufeld And what do you get when you run:

    SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l
    
  • kevinneufeld
    kevinneufeld
    Community Member

    @floris_1P I get:

    Mon 28  9:01am in ~
    ⇣94% ▶ SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l
    The agent has no identities.
    
  • Is the SSH key you imported in a Private vault or a shared vault?

  • kevinneufeld
    kevinneufeld
    Community Member

    it is in a private vault specifically for work

  • kevinneufeld
    kevinneufeld
    Community Member

    when I move the key back to the personal vault I get the valid output:

    Mon 28  8:26pm in ~ took 1m 51s
    •100% ▶ SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l
    256 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (ED25519)
    
  • kevinneufeld
    kevinneufeld
    Community Member

    Is there a way to target addtional/other vaults?

  • rctneil
    rctneil
    Community Member

    @floris_1P

    I'm really sorry but this is not making any sense to me.

    In your documentation, you state:

    "On Mac and Linux, add the IdentityAgent to your config file or set the SSH_AUTH_SOCK environment variable."

    and

    "Add the IdentityAgent snippet to your ~/.ssh/config file:

    Host *
    IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

    Or set the SSH_AUTH_SOCK environment variable in the shell where your SSH command runs:

    export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
    "

    You explicitly say the word "or" twice. This indicates that the user has to do one OR the other.

    If you HAVE to do both then surely the documentation needs to be updated. I run ssh-add -l and it fails to show any keys.

    If I am misunderstanding then that's fine, but please ensure your documentation is cleared up and everything clarified to ensure misunderstandings like this don't happen.

    Please could you explain again here so I can try to understand.

  • Enceladus
    Enceladus
    Community Member

    I was having trouble with this too and got it working. I had originally created an ssh key in my "Work" vault (not shared with anyone, but I don't think it counts as private), and was bemused as to why ssh -v was failing and claiming the agent had no identities.

    Moving the key to the Personal vault fixed it. I can ssh hostname and 1Password prompts me for permission to connect, easy peasy.

    @rctneil IdentityAgent is a way to override the SSH_AUTH_SOCK variable. It lets you instruct SSH to use a different ssh-agent for particular hosts, while SSH_AUTH_SOCK is the default. If 1Password is the only ssh-agent you're running, you can export SSH_AUTH_SOCK=<that long path> as suggested and that should work fine. No need to set IdentityAgent at all.

    In my case I'm already running a different agent on SSH_AUTH_SOCK. So I set up my ~/.ssh/config file like this for 1PW:

    Host somethingtouse1passwordfor
      HostName 123.456.78.910
      User username
      Port 42
      IdentityAgent ~/.1password/agent.sock // symlink to the full socket path
    
    Host *
      IdentityFile ~/.ssh/my-normal-id
      AddKeysToAgent yes
    

    Note that in this case, ssh-add -l only shows the keys in my default agent, NOT what's in the 1PW agent. The reason for this is that ssh-add looks at SSH_AUTH_SOCK to get the socket through which to communicate with an agent. If I want to see what's saved in the 1PW agent, I need to change the environment variable. I can do this temporarily for my current shell session like so:

    SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
    

    And then ssh-add -l will report the key(s) from 1PW.

    The documentation kind of assumes someone already knows how this works, which is probably a mistake given how arcane SSH can be and how minimal the usual instructions are that people get from github, web hosts, etc. If anyone wants to read a genuinely good explanation of what's going on, this article saved me a lot of headaches.

  • rctneil
    rctneil
    Community Member

    @Enceladus Many many thanks for your explanation.

    When I get back on my personal machine I will reread your post and try it all out!

    Thanks!

  • nikolamilekic
    nikolamilekic
    Community Member

    I just wasted a lot of time trying to figure out why SSH wasn't working for me. Same issue as @kevinneufeld: only "Personal" (or default) vault works. The other private vaults DO NOT. Is this a bug or a poorly documented feature?

  • @rctneil Yes, you're right that the or part is a bit confusing, because not every SSH client supports IdentityAgent. So we just released a brand new page to list which SSH clients support which configuration options: https://developer.1password.com/docs/ssh/agent/compatibility

    It says there that ssh-add does not support IdentityAgent, for example.

    We're also linking to this page from the get started guide.

  • @nikolamilekic That's not a bug. We've listed the SSH key requirements for the SSH agent here: https://developer.1password.com/docs/ssh/agent#eligible-keys

    Anything you feel that's missing there to prevent others running into the same issue?

  • nikolamilekic
    nikolamilekic
    Community Member

    @floris_1P I read those requirements and I understood the private vault one to mean any vault that is not shared. As I'm not the only one to come to that (wrong) conclusion I feel you need to explain it better. Instead of saying private vault how about saying "the account's default vault" (if that is indeed the case)?

    Why is this requirement there to begin with? It's not intuitive (or we wouldn't be here), and it forces users to change their workflows to suit the software...

  • skrtks
    skrtks
    Community Member

    I've transferred some of my SSH keys I use frequently to 1P to do some testing, and I'm really enjoying the experience so far! However, what I don't like is that keys are locked quite fast after use. For example, Intellij frequently fetches in the background, and every time this happens I have to grant access to the key again.

    It would be great if 1P would remember my choice as long as my vault is unlocked. Or even better, just remember which apps have access to a key, and don't ask me anything as long as my vault is unlocked.

    What are the plans regarding this?

  • aurimasniekis
    aurimasniekis
    Community Member

    Like @skrtks mentioned JetBrains IDE's constantly fetches git data, which causes 1password ask for allowance, which if u have for e.g. 5-6 IDE opened quite annoying, I would love if there would be option like with macOS keychain Always Allow or something similar

  • negnetsolutions
    negnetsolutions
    Community Member

    Like @skrtks mentioned, I use nvim inside of tmux and have plenty of different git integrations that are always checking the status of remote git repos. I get 1-2 ssh key requests each time I open a new shell / vim session. Or opening a transmit session over sftp (which by default opens multiple remote server connections) often ends up with 4-8 requests to unlock.

    I realized that my git integrations are not the most optimized. But, an "always allow for process" would be a very nice addition.

    In fact, using 1P to unlock my primary ssh identity is essentially useless for me right now as I'm constantly interrupted by authentication requests. For now, I went back to using local key files.... :(

  • floris_1P
    edited May 2022

    @skrtks @aurimasniekis @negnetsolutions We've recently made some improvements in this area, especially around those consecutive prompts piling up. Could you see if it got any better now?

    @nikolamilekic I agree and we're aware of this. It's a requirement we're looking to remove soon. The reason why it's there is because we need to build an opt-in mechanism to use those keys.

  • nikolamilekic
    nikolamilekic
    Community Member

    @floris_1P How about a special tag? Similar to how '2FA' is used to suppress 2FA warnings, or 'Apple Watch' to indicate items available on WatchOS?

This discussion has been closed.