--- title: 1password's ssh agent and nix date: 2023-12-02 tags: - ssh - git - nix --- [A while ago](https://blog.1password.com/1password-ssh-agent/), 1password introduced an SSH agent, and I've been using it for a while now. The following describe how I've configured it with `nix`. All my ssh keys are in 1password, and it's the only ssh agent I'm using at this point. ## Personal configuration I have a personal 1password account, and I've created a new SSH key in it that I use for both authenticating to github and to sign commits. I use [nix-darwin](http://daiderd.com/nix-darwin/) and [home-manager](https://github.com/nix-community/home-manager) to configure my personal machine. This is how I configure ssh: ```nix programs.ssh = { enable = true; forwardAgent = true; serverAliveInterval = 60; controlMaster = "auto"; controlPersist = "30m"; extraConfig = '' IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ''; matchBlocks = { "github.com" = { hostname = "github.com"; user = "git"; forwardAgent = false; extraOptions = { preferredAuthentications = "publickey"; }; }; }; }; ``` The configuration for git: ```nix { lib, pkgs, config, ... }: let sshPub = builtins.fromTOML ( builtins.readFile ../../configs/ssh-pubkeys.toml ); in { home.file.".ssh/allowed_signers".text = lib.concatMapStrings (x: "franck@fcuny.net ${x}\n") (with sshPub; [ ykey-laptop ykey-backup op ]); programs.git = { enable = true; userName = "Franck Cuny"; userEmail = "franck@fcuny.net"; signing = { key = "key::${sshPub.op}"; signByDefault = true; }; extraConfig = { gpg.format = "ssh"; gpg.ssh.allowedSignersFile = "~/.ssh/allowed_signers"; gpg.ssh.program = "/Applications/1Password.app/Contents/MacOS/op-ssh-sign"; }; } ``` In the repository with my nix configuration, I've a file `ssh-pubkeys.toml` that contains all the public ssh keys I keep track of (mine and a few other developers). Keys from that file are used to create the file `~/.ssh/allowed_signers` that is then used by `git` (for example `git log --show-signature`) when I want to ensure commits are signed with a valid key. `ssh-pubkeys.toml` looks like this: ```toml # yubikey key connected to the laptop ykey-laptop="ssh-ed25519 ..." # backup yubikey key ykey-backup="ssh-ed25519 ..." # 1password key op="ssh-ed25519 ..." ``` And the following is for `zsh` so that I can use the agent for other commands that I run in the shell: ```nix programs.zsh.envExtra = '' # use 1password ssh agent # see https://developer.1password.com/docs/ssh/get-started#step-4-configure-your-ssh-or-git-client export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ''; ``` And that's it, this is enough to get use the agent for all my personal use cases. ## Work configuration The work configuration is slightly different. Here I want to use both my work and personal keys so that I can clone some of my personal repositories on the work machine (for example my emacs configuration). We also use both github.com and a github enterprise instance and I need to authenticate against both. I've imported my existing keys into 1password, and I keep the public keys on the disk: `$HOME/.ssh/work_gh.pub` and `$HOME/.ssh/personal_gh.pub`. I've removed the private keys from the disk. This is the configuration I use for work: ```nix programs.ssh = { enable = true; forwardAgent = true; serverAliveInterval = 60; controlMaster = "auto"; controlPersist = "30m"; extraConfig = '' IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ''; matchBlocks = { "personal" = { hostname = "github.com"; user = "git"; forwardAgent = false; identifyFile = "~/.ssh/personal_gh.pub"; identitiesOnly = true; extraOptions = { preferredAuthentications = "publickey"; }; }; "work" = { hostname = "github.com"; user = "git"; forwardAgent = false; identifyFile = "~/.ssh/work_gh.pub"; identitiesOnly = true; extraOptions = { preferredAuthentications = "publickey"; }; }; "github.enterprise" = { hostname = "github.enterprise"; user = "git"; forwardAgent = false; identifyFile = "~/.ssh/work_gh.pub"; identitiesOnly = true; extraOptions = { preferredAuthentications = "publickey"; }; }; }; }; ``` I also create a configuration file for the 1password agent, to make sure I can use the keys from all the accounts: ```nix # Generate ssh agent config for 1Password - I want both my personal and work keys home.file.".config/1Password/ssh/agent.toml".text = '' [[ssh-keys]] account = "my.1password.com" [[ssh-keys]] account = "$work.1password.com" ''; ``` Then the ssh configuration: ```nix { config, lib, pkgs, ... }: let sshPub = builtins.fromTOML ( builtins.readFile ../etc/ssh-pubkeys.toml ); in { home.file.".ssh/allowed_signers".text = lib.concatMapStrings (x: "franck@fcuny.net ${x}\n") (with sshPub; [ work_laptop op ]); programs.git = { enable = true; signing = { key = "key::${sshPub.op}"; signByDefault = true; }; extraConfig = { gpg.format = "ssh"; gpg.ssh.allowedSignersFile = "~/.ssh/allowed_signers"; gpg.ssh.program = "/Applications/1Password.app/Contents/MacOS/op-ssh-sign"; url = { "ssh://git@github.enterprise/" = { insteadOf = "https://github.enterprise/"; }; }; }; }; } ``` Now, when I clone a repository, instead of doing `git clone git@github.com/$WORK/repo` I do `git clone work:/$WORK/repo`. ## Conclusion I've used yubikey to sign my commits for a while, but I find the 1password ssh agent a bit more convenient. The initial setup for yubikey was not as straightforward (granted, it's a one time thing per key). On my personal machine, my `$HOME/.ssh` looks as follow: ```sh ➜ ~ ls -l ~/.ssh ~ total 16 lrwxr-xr-x@ 1 fcuny staff 83 Nov 6 17:03 allowed_signers -> /nix/store/v9qhbr2vb7w6bd24ypbjjz59xis3g8y2-home-manager-files/.ssh/allowed_signers lrwxr-xr-x@ 1 fcuny staff 74 Nov 6 17:03 config -> /nix/store/v9qhbr2vb7w6bd24ypbjjz59xis3g8y2-home-manager-files/.ssh/config -rw-------@ 1 fcuny staff 828 Nov 13 17:53 known_hosts ``` When I create a new commit, 1password ask me to authorize git to use the agent and sign the commit. Same when I want to ssh to a host. When I'm working on the macbook, I use touch ID to confirm, and when the laptop is connected to a dock, I need to type my 1password's password to unlock it and authorize the command. There's a cache in the agent so I'm not prompted too often. I find this convenient, I will never have to copy my ssh key when I get a new laptop, since it's already in 1password. The agent has worked flawlessly so far, and I'm happy with this setup.