(macOS) SSH Agent is not working

Options
AlanVazquez
AlanVazquez
Community Member
edited May 2022 in SSH

The option to use the SSH Agent is enabled and I even enabled the option to start at login.

But when I open my terminal, the SSH Agent is not active.

$ cat ~/.ssh/config                                         
Host *
  IdentityAgent "~/.config/1password/agent.sock"

$ ssh-add -l
The agent has no identities.

$ export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock

$ ssh-add -l
The agent has no identities.

$ ps -ef | grep ssh-agent 
  501  1449  1342   0 10:45PM ttys000    0:00.00 grep --color ssh-agent

$ ssh -Tv git@github.com

OpenSSH_8.6p1, LibreSSL 3.3.5
debug1: Reading configuration data /Users/alanv/.ssh/config
debug1: /Users/alanv/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to github.com port 22.
debug1: Connection established.
debug1: identity file /Users/alanv/.ssh/id_rsa type -1
debug1: identity file /Users/alanv/.ssh/id_rsa-cert type -1
debug1: identity file /Users/alanv/.ssh/id_dsa type -1
debug1: identity file /Users/alanv/.ssh/id_dsa-cert type -1
debug1: identity file /Users/alanv/.ssh/id_ecdsa type -1
debug1: identity file /Users/alanv/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/alanv/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/alanv/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/alanv/.ssh/id_ed25519 type -1
debug1: identity file /Users/alanv/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/alanv/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/alanv/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/alanv/.ssh/id_xmss type -1
debug1: identity file /Users/alanv/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version babeld-4f04c79d
debug1: compat_banner: no match: babeld-4f04c79d
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /Users/alanv/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU
debug1: load_hostkeys: fopen /Users/alanv/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the ED25519 host key.
debug1: Found key in /Users/alanv/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/alanv/.ssh/id_rsa 
debug1: Will attempt key: /Users/alanv/.ssh/id_dsa 
debug1: Will attempt key: /Users/alanv/.ssh/id_ecdsa 
debug1: Will attempt key: /Users/alanv/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /Users/alanv/.ssh/id_ed25519 
debug1: Will attempt key: /Users/alanv/.ssh/id_ed25519_sk 
debug1: Will attempt key: /Users/alanv/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/alanv/.ssh/id_rsa
debug1: Trying private key: /Users/alanv/.ssh/id_dsa
debug1: Trying private key: /Users/alanv/.ssh/id_ecdsa
debug1: Trying private key: /Users/alanv/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/alanv/.ssh/id_ed25519
debug1: Trying private key: /Users/alanv/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/alanv/.ssh/id_xmss
debug1: No more authentication methods to try.

git@github.com: Permission denied (publickey).

I already tried to activate the SSH Agent manually and add the 1Password socket but it doesn't work

$ eval $(ssh-agent -s)                                                                  
Agent pid 2479

$ export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock

$ ssh-add -l                                                                            
The agent has no identities.

1Password Version: 8.7.0 80700012
Extension Version: Not Provided
OS Version: macOS 12.3

Comments

  • floris_1P
    floris_1P
    Options

    The agent currently only takes SSH keys from Private or Personal vaults into account. Is that where you've stored your key(s)?

  • AlanVazquez
    AlanVazquez
    Community Member
    Options

    Hi @floris_1P

    I have 5 keys in 1Password (None of them are listed using ssh-add -l):

    • I created 3 keys using ssh-keygen -t ed25519 -C <comment> -f <file> and then imported them into 1P.
    • I created 2 keys directly on 1P, one RSA and one ED25519

    For the keys I create with ssh-keygen I use the IdentityFile option, but remove it so I can use them from 1Password.

    This is a part of my ssh config file:

    Host *
  IdentityAgent "~/.config/1password/agent.sock"

Host git_work
  Hostname github.com
  User git
  #IdentityFile ~/.ssh/git_work

Host git
  Hostname github.com
  User git
  #IdentityFile ~/.ssh/git
  • floris_1P
    floris_1P
    Options

    Okay, but in which 1Password vault do you have those keys?

  • AlanVazquez
    AlanVazquez
    Community Member
    Options

    Oh sorry for the misunderstanding, I thought that by private you meant 1P and by personal to the keys that I created manually

    I guess a private vault is any other vault than the Personal one, right?
    I moved the keys to the Personal vault and it works!!

    Is there a way to use the keys from another vault?
    Maybe I didn't see it, but is this in the documentation?

  • floris_1P
    floris_1P
    Options

    Good to hear that it works now! And yes, we're working on an opt-in mechanism so you can also use keys from other vaults. The current SSH key item requirements for the agent are documented here.

  • AlanVazquez
    AlanVazquez
    Community Member
    Options

    I see that the second requirement is "Stored in the Private or Personal vault of any of your 1Password accounts". If the upgrade to use the keys from a private vault is going to take a while you should just put "Personal vault" while this feature is ready.

    I mention this because I spent 2 days fighting with the ssh-agent and other crazy settings. It was as simple as moving the keys to the personal vault.
    I have a work vault, a shared one and a private one that I use as my personal vault so I don't use the "personal" vault at all.

  • floris_1P
    floris_1P
    Options

    It says "Private or Personal" because the name of that vault can differ per account (depending on a bunch of things, partly for historic reasons, partly based on which plan you're on). So in some accounts that vault is called "Private" instead of "Personal".

    But I hear what you're saying! We'll look into making this is a more apparent part of the onboarding flow.

  • HenryQW
    HenryQW
    Community Member
    Options

    I ran into the exact same issue, because I moved all my keys into a travel-safe vault and they stopped working.

  • floris_1P
    floris_1P
    Options

    @AlanVazquez @HenryQW I wanted to follow up with an update that we're working on a solution that lets you enable keys from other vaults than the Private/Personal vault. It would be great to get your feedback on our proposal, if you're (still) interested. You can do so by joining the #ssh-agent-config channel in our Slack workspace.

  • chris.db_1p
    chris.db_1p
    Options

    Update: The feature Flo describes is now available to try in the Nightly release channel, you can find instructions on how to use the feature in the Slack workspace channel linked above, we'd love to hear your feedback.

This discussion has been closed.