Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
SSH Agent Forwarding to Remote Mac
Okay! I have a Mac Mini that I use as a home server (it was effectively free after trade ins of old stuff). I do have 1Password and its SSH agent running there for when i'm using it with a screen attached, but I'd like to be able to initiate 1Password requests when SSH'ed into the box as well so i can perform `git` operations in particular.
I have tried https://developer.1password.com/docs/ssh/agent/forwarding/#remote-workstation and to an extent it works.
ssh -A my_name@macmini.local
cat ~/.ssh/config
# Output, showing we are trying to force using SSH_AUTH_SOCK
# Match host * exec "test -z $SSH_TTY"
# IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
echo $SSH_AUTH_SOCK
# /Users/my_name/.ssh/agent/s.czyqavwOqO.sshd.RviXimjiErSo I can see that I'm getting some kind of agent socket attached appropriately. I've configured the `.ssh/config` to not use the IdentityAgent when over SSH (it's not commented out in the actual file, just commented here for display purposes in the code block).
However, when trying to run a git command, it's like SSH doesn't even try to use the auth socket for pulling data and `ssh-add -l` is equally unhelpful.
ssh-add -l
# The agent has no identities.
git pull
# git@github.com: Permission denied (publickey).
# fatal: Could not read from remote repository.
# Please make sure you have the correct access rights
# and the repository exists.I am sure I'm just missing a configuration of some kind somewhere but I am at a loss for what it could be. Happy to provide other debug information from either the host or the remote Mac mini as needed.
2 Replies
Ok I actually discovered the problem. I needed the following in `~/.ssh/config` on the laptop.
Host * IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"there's a chance a less aggressive host configuration might work. Maybe it needs to be `Host <the Mac mini's host name` to enable forwarding?
There are generally two ways to set the auth socket used by the identity agent (whether using 1Password SSH Agent, OpenSSH, or any other SSH agent):
- Specify IdentityAgent option in ~/.ssh/config file like you're already doing (also works on command line with "ssh -o IdentityAgent")
- Specify via SSH_AUTH_SOCK environment variable.
For option 2, you could set in your shell startup (e.g. ~/.zshrc or ~/.bashrc):
export SSH_AUTH_SOCK=${SSH_AUTH_SOCK:-~"/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"}Then you could leave the IdentityAgent option out of ~/.ssh/config. This should also work when logged in remotely and SSH_AUTH_SOCK is already set via SSH agent forwarding.
