SSH Keys - The agent has no identities.

dnk
dnk
Community Member
edited March 2022 in SSH

Hi there, I am attempting to setup my SSH keys during my trial period (evaluating 1password). I followed the docs, and when I test for the keys, I get the above error, and when I authenticate to a server, I am getting:

❯ ssh docker
dustin@10.0.0.33: Permission denied (publickey).

Any suggestions?

  • I have rebooted, restarted SSH services post config changes and restarted the 1password app as well.

Thank you very much.

System Specs

❯ cat -p /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=21.10
DISTRIB_CODENAME=impish
DISTRIB_DESCRIPTION="Ubuntu 21.10"
1Password for Linux 8.6.0

80600076, on PRODUCTION channel
Brave with the chrome extention (2.3.0)

System Config

Key Entry

Desktop App

SSH Config

Host *
  IdentityAgent ~/.1password/agent.sock

Processes

❯ ps aux | grep 1pass
dustin   1338775  2.4  0.2 25510072 144948 ?     Sl   09:52   0:08 /opt/1Password/1password --type=renderer --enable-crashpad --enable-crash-reporter=e902f537-9180-4273-99fa-bdc20a5b2130,no_channel --user-data-dir=/home/dustin/.config/1Password --standard-schemes=resource,file-icon --enable-sandbox --secure-schemes --bypasscsp-schemes=resource,file-icon --cors-schemes --fetch-schemes=resource,file-icon --service-worker-schemes --streaming-schemes --app-path=/opt/1Password/resources/app.asar --enable-sandbox --disable-blink-features=Auxclick --lang=en-GB --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --launch-time-ticks=34298985616 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=0,2157891041157314061,2950027978502139891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess
dustin   2644225  0.0  0.0   8748  6148 pts/4    S+   09:58   0:00 rg 1pass
dustin   4064145  0.3  0.2 21574616 178104 ?     Sl   09:46   0:02 /opt/1Password/1password --enable-crashpad
dustin   4064219  0.0  0.0 16993684 48160 ?      S    09:46   0:00 /opt/1Password/1password --type=zygote --no-zygote-sandbox --enable-crashpad --enable-crashpad
dustin   4064224  0.0  0.0 16993684 45688 ?      S    09:46   0:00 /opt/1Password/1password --type=zygote --enable-crashpad --enable-crashpad
dustin   4064286  0.0  0.0 16993684 12360 ?      S    09:46   0:00 /opt/1Password/1password --type=zygote --enable-crashpad --enable-crashpad
dustin   4065377  0.4  0.2 17400988 132784 ?     Sl   09:46   0:03 /opt/1Password/1password --type=gpu-process --enable-crashpad --enable-crash-reporter=e902f537-9180-4273-99fa-bdc20a5b2130,no_channel --user-data-dir=/home/dustin/.config/1Password --gpu-preferences=UAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --shared-files --field-trial-handle=0,2157891041157314061,2950027978502139891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess
dustin   4065418  0.0  0.0 17059348 58260 ?      Sl   09:46   0:00 /opt/1Password/1password --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --enable-crashpad --enable-crash-reporter=e902f537-9180-4273-99fa-bdc20a5b2130,no_channel --user-data-dir=/home/dustin/.config/1Password --standard-schemes=resource,file-icon --enable-sandbox --secure-schemes --bypasscsp-schemes=resource,file-icon --cors-schemes --fetch-schemes=resource,file-icon --service-worker-schemes --streaming-schemes --shared-files=v8_context_snapshot_data:100 --field-trial-handle=0,2157891041157314061,2950027978502139891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess --enable-crashpad
dustin   4066455  0.0  0.1 25506024 92712 ?      Sl   09:46   0:00 /opt/1Password/1password --type=renderer --enable-crashpad --enable-crash-reporter=e902f537-9180-4273-99fa-bdc20a5b2130,no_channel --user-data-dir=/home/dustin/.config/1Password --standard-schemes=resource,file-icon --enable-sandbox --secure-schemes --bypasscsp-schemes=resource,file-icon --cors-schemes --fetch-schemes=resource,file-icon --service-worker-schemes --streaming-schemes --app-path=/opt/1Password/resources/app.asar --enable-sandbox --disable-blink-features=Auxclick --lang=en-GB --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --launch-time-ticks=33918101183 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=0,2157891041157314061,2950027978502139891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess

Checking for Keys

❯ export SSH_AUTH_SOCK=~/.1password/agent.sock
❯ ssh-add -l
The agent has no identities.

1Password Version: Linux 8.6.0
Extension Version: version 2.3.0
OS Version: Ubuntu 21.10

Comments

  • miquella
    miquella
    Community Member

    I've been running into a very similar error trying to setup the 1Password SSH Agent. Eventually I was able to sort out that mine was due to my SSH key being in my "Work" vault, not my "Private" vault.

    Differences in my environment:

    • Fedora 35
    • Chrome Browser
    • ~/.ssh/config
    Host *
        IdentityAgent ~/.1password/agent.sock
        IdentityFile ~/.ssh/id_op.pub
        IdentitiesOnly yes
    
  • dnk
    dnk
    Community Member

    being in my "Work" vault, not my "Private" vault.

    THIS!!!

    I had a separate vault for SSH keys. Once I moved it back, everything worked as expected!

    Thanks a TON.

  • Correct, the agent will only use keys from your Private/Personal vault. We're working on a way to remove this limitation by offering an opt-in mechanism to use keys from other vaults. When doing so, would you guys prefer an opt in per vault or per individual key?

  • Cu3PO42
    Cu3PO42
    Community Member

    I would also like the ability to configure the keys the agent will use either per vault or per key. In a perfect world, I'd like a per vault setting and an optional per-key override, but realistically, I believe having either option would be fine. However, I would also like the ability to disable keys from the Private vault. This can obviously be worked around by moving those keys to yet another vault, but it would be a nice touch in my opinion.

  • jc00ke
    jc00ke
    Community Member

    Ah, this is what's been getting me! We store shared SSH keys in staging and production vaults and I was wondering why the 1Password SSH agent stopped working. Yeah, would love either per-vault (probably ideal in my case) or per-key.

  • jc00ke
    jc00ke
    Community Member

    Honestly, it would be cool to be able to use the secret reference syntax.

  • bbeckford
    bbeckford
    Community Member

    @floris_1P I'd love an opt-in per vault, but per individual key would also be useful to be honest!

  • Hacksore
    Hacksore
    Community Member

    I'd love to have the per vault opt-in but as others have said individual key could be nice as well.

  • wavesound
    wavesound
    Community Member

    Not sure what you mean by Opt-In vs Individual Key? But I am a fan of removing the limitation!

  • Hacksore
    Hacksore
    Community Member
    edited June 2022

    What I'd like for a user experience is I can opt-in a whole vault for example:

    App XYZ - UAT (All keys in this vault would be exposed to the agent)

    Or being able to pick a certain key inside a vault marked for usability example:

    App XYZ - PROD => App Server SSH (Only this key would be exposed to the agent)

    Hope that helps add more clarity to what I'm trying to convey.

  • @dnk @miquella @Cu3PO42 @jc00ke @bbeckford @Hacksore @wavesound

    I wanted to let you know that we're currently working on a solution that allows for the following:

    • Enable keys from other vaults than the Private vault.
    • Create isolated setups with certain keys offered on a separate socket.
    • Control the order in which keys are offered to SSH servers.

    It would be great to get your feedback on our proposal, if you're (still) interested. You can do so by joining the #ssh-agent-config channel in our Slack workspace.

  • larsrickert
    larsrickert
    Community Member

    Hey together,

    I am also facing the issue that 1Password (Version 8.10.7) does not recognize my SSH keys for signing commits.
    They are inside my personal vault and they worked before. But a few days/weeks ago they stopped working.

    Running "ssh-add -l" shows "The agent has no identities." although I have 3 SSH keys in my personal vault.

    My SSH config:
    Host *
    IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

    My git config:
    [user]
    signingkey = ssh-ed25519

    [gpg]
    format = ssh

    [gpg "ssh"]
    program = "/Applications/1Password.app/Contents/MacOS/op-ssh-sign"

    [commit]
    gpgsign = true

    The issue occurs both an MacOO 13.4 (22F66) and Windows 11. I am using git version 2.39.2

    Could you help me solve this? Thanks!

  • @larsrickert Could you try upgrading to the latest 1Password version? There was a related bug we fixed that may solve your issue.

  • larsrickert
    larsrickert
    Community Member

    Hey @floris_1P, yes it works now with version 8.10.8, thanks!

  • paulkre
    paulkre
    Community Member

    I have the same problem on 8.10.8. Same configuration as @larsrickert.

  • paulkre
    paulkre
    Community Member
    edited July 2023

    -

  • paulkre
    paulkre
    Community Member

    Works now. Forgot to set the SSH_AUTH_SOCK variable...

This discussion has been closed.