If you want to omit passphrase and password entry when you are using Secure Shell, you can use the agent daemon. Use the ssh-agent command at the beginning of the session. Then, store your private keys with the agent by using ssh-add. If you have different accounts on different hosts, add those keys that you intend to use in the session. With the ssh-agent running and the key added to the agent, any ssh session can now be authenticated with that key. Additional ssh-keys, if needed, can be added using ssh-add as described above. Instead of entering the ssh-key password each time, the agent manages the keys and only asks once for the password of the keys.
How to Log in With No Password While Using ssh-agent
If you want to omit passphrase and password entry when you are using Secure Shell, you can use the agent daemon. Use the ssh-agent command at the beginning of the session. Then, store your private keys with the agent by using ssh-add.If you have different accounts on different hosts, add those keys that you intend to use in the session. You can start the agent manually when needed as described in the following procedure. Or, you can set the agent to run automatically at the start of every session as described in How to Set ssh-agent to Run Automatically.
Start the agent daemon.
The ssh-agent command starts the agent daemon and displays its process ID.
Add your private key to the agent daemon.
The ssh-add command adds your private key to the agent daemon so that subsequent Secure Shell activity will not prompt you for the passphrase.
Start a Secure Shell session.
Example—Using ssh-add Options
You can use ssh-add to add other keys to the daemon as well. For example, you might concurrently have DSA v2, RSA v2, and RSA v1 keys. To list all keys that are stored in the daemon, use the -l option. To delete a single key from the daemon, use the
-doption. To delete all keys, use the -D option.I run the dev channel of ChromeOS. This crashes occasionally. While my chrometabs are generally recovered, it also resets the crostini containers. Everytime this happens, I’ve to launch 1Password (the android app), unlock it,search for my SSH key, copy the password and finally paste it in the terminal.This was starting to get old.
A couple of days ago I spent about an hour short circuiting this. I’ve setthings up so that ssh-agent directly asks for my 1Password master password,uses it to unlock the vault, grab the SSH key password and add the identity tossh-agent! Read on to know how it works!
I want to call out that this kind of tinkering is only possiblebecause unix tools are customizable and 1Password publishes the full details ofits opvault file format. Keep supporting these kind of companies!
We need a couple of things for this setup to work.
- Some way to convince ssh-agent to use this mechanism instead of the defaultpassword prompt.
- Some way to get the SSH key password from 1Password, given the masterpassword.
Customizing ssh-add
While part 2 is the slightly harder part, it is worth spending a few minutesfiguring out if 1 is even possible. I certainly am not feeling up to actuallyhacking on the SSH code. So let’s look at the ssh-add man page:
OK, seems like this is possible. It isn’t clear yet how the entered password isread from ssh-askpass. Moremansplaining:
1password Ssh Agent Portal
Very unix-y. The program just needs to write the password to stdout. OK. Let’scome back to this once we have a script doing exactly that.
Extracting passwords from 1Password
The opvault file format is open and well documented. Thismeans we don’t have to figure out some complicated IPC schemes orreverse-engineering. There are already libraries out there that support parsingthese files. While writing one in Rust would be the cool thing to do, I’mtrying not to fall too deep in the XKCD trap. I picked theopvault python package. I did a quick read of the code to make sure thiswasn’t secretly uploading all my passwords to the Internet. I also usedvirtualenv and some extra customizations to not pollute my system python, butI’m going to elide that. The code presented here assumes your system python hasopvault installed. Remember, the script also needs to be executable.
This is a fairly simple script. It hard-codes the location to my vault and thetitle under which my key is stored in 1Password (one less thing to worry aboutpassing around on the command line). It uses the getpass module to retrievemy password in the unix-style, without echoing it on screen. We load the vault,load all the items and retrieve the details. Then we print the SSH keypassword!
Plugging this into ssh-add
This may vary slightly based on how you’ve set up ssh-add to execute atstartup. I use zprezto, and I’ve the ssh module enabled. Ielected to put the customization in my .zshrc, right before initializingzprezto.
I’m not entirely happy with this, but it will do for now. First, it changesthese variables at the zprezto level, instead of just at the module level. Thismeans other modules and zsh setup can be influenced by this. However, puttingthese links right before loading ssh did not seem to work and I don’t careenough. Second, I’m not resetting the variables properly, they now end up asempty strings instead of being unset if they were not set before. Again, Idon’t care.
That’s it! Use ssh-add -d to disassociate the existing identity, then start ashell to see if this works, as I did several times while figuring this out.
1password Ssh Agent Sign In
A note on the vault storage.
1password Ssh Agent Login
This deals only with local vaults. If you use the 1Password web service, I’d behappy to know how you would hook that up. If you use Dropbox to sync your1Password vaults, the easiest way to get this to work is by installing Dropboxon your linux machine and just syncing the files. I thought this was a lot ofresource use just to access this SSH key. In particular, the SSH key passwordis never going to change, so the syncing aspect is not very useful. Instead, Ijust downloaded a current version of the opvault file (which is actually adirectory). I also pruned the contents to leave only the profile and the bandwith the ssh key on-disk, as those are the only pieces required.