ssh agent does not list my keys despite $SSH_AUTH_SOCK set

Oh, I added the "AssociatedBundleIdentifier" to try and get this to show something nicer than "launchctl" in the Login Items & Extensions panel in MacOS System Settings. But that didn't work. Mayhaps y'all can actually add/create this plist file within the app bundle and get it to show up nice as an item under the "1Password.app" item that is already there...(although that "App Background Activity" item may be there because of our Jamf device configuration for our 1P users).

Waking a zombie thread on this topic. Welcome back! If anyone @ 1Password sees this, you have developer docs that need updating.

I've been having repeated issues where non-ssh clients like git and gcloud are not seeing or honoring configs in my ~/.ssh/config where I've declared IdentityAgent. Which is to say these clients were not correctly finding and using the 1Password SSH Agent, so SSH connections were simply timing out instead of correctly prompting me to authorize use of the SSH key.

Searching and troubleshooting eventually brought me here (<-- the page that needs fixing, 1P folks) where I found that if I define SSH_AUTH_SOCK, these apps all continue to behavore more as I expected. So I tried to follow those instructions to create a plist file to automatically set SSH_AUTH_SOCK since some utilities use that over the SSH config. But the plist file on that page is wrong.

The command that it is (trying to) run is: 

ln -sf  ~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock \$SSH_AUTH_SOCK 

But this plist fails to run successfully. LaunchAgents do not like to run things that run things, like open a shell to run a command, so it doesn't want to do this. After much troubleshooting, I did eventually convince this to run as intended by changing the program arguments to /bin/ln / -sf / ~/Lib...sock / $SSH_AUTH_SOCK.

This then brought me to the real issue, which is that this plist is trying to replace the agent.sock file with a symlink to itself, which is Not Right. What we want to do is to set the environment variable, not break the .sock file, which is similar to running:

export SSH_AUTH_SOCK=~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock

On a commandline, this would normally just be dropped into a .bashrc, .zshrc, or /etc/profile.d/1password.sh file. But for any tools that aren't being started from a commandline, we need that environment variable set on login so it's existing in our macos login session (not just a bash or zsh session).

Here's what I have, which is working:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>com.1password.SSH_AUTH_SOCK</string>
        <key>AssociatedBundleIdentifier</key>
        <array>
            <string>com.1password.1password</string>
        </array>
        <key>Program</key>
        <string>/bin/launchctl</string>
        <!--key>StandardErrorPath</key>
        <string>/tmp/1password.launchagent.err</string>
        <key>StandardOutPath</key>
        <string>/tmp/1password.launchagent.out</string-->
        <key>ProgramArguments</key>
        <array>
            <string>/bin/launchctl</string>
            <string>setenv</string>
            <string>SSH_AUTH_SOCK</string>
            <string>~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock</string>
            <!--string>\$SSH_AUTH_SOCK</string-->
        </array>
        <key>RunAtLoad</key>
        <true />
    </dict>
</plist>

So there you go. And the commented out StandardErrorPath and StandardOutPath keys are left here for the betterment of the world - pretty handy to be able to go see what/whether is actually running when you try to load this with launchctl.

I have the exact same issue on a freshly setup Macbook, with the very same behaviour. the config file looks fine, but it just doesn't have any available identities and $SSH_AUTH_SOCKET also points to the apple listener.

I've come across the same issue. My git commands correctly make 1PW prompt for my authorization but any ssh commands fail to do so.

Have you found a solution to this since coming across the issue? I have not come further than the things you described above.

For the record if I manually add the

export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock

line to the zsh config, reload, and make sure that the env var is that one, ssh-add -l works as intended and will list the keys 1password has.

I'm having trouble getting the built in ssh agent to NOT start, and the SSH_AUTH_SOCK to not be set to the apple listener.

I've tried the launchctl bootout, disable, etc, to no avail.

So I guess the question is, how do I force my computer to use the 1Password ssh agent, and not its own built in ssh agent? 🤔

Further, the ssh-agent is started by launchd, the value of $SSH_AUTH_SOCK is from that process. It's in the open files in the activity monitor.

When I list the services that launchd starts with launchctl list and then grep for the process ID of the ssh-agent, it is started by com.openssh.ssh-agent.

That seems to be a mac built in openssh agent per https://gist.github.com/vancluever/de1c3985c8f9e2a3c4bdc42a057e075e (I found the plist in /System/Library/LaunchAgents) and https://discussions.apple.com/thread/7874675