Developers Docs

1Password for developers

# 1Password for developers

Advantages of separate SSH keys in 1Password:

  1. A fingerprint is always required to access an ssh connection, usually root, so it is safe.
  2. For each server you use a different key, if your private key leaks only that one server is at risk and not ALL servers you use.
  3. Your keys are in 1Password, if you get a new laptop or your old laptop dies, you just need to install 1Password and you can go back in everywhere right away.

# Setup

  1. Download 1Password 8: https://downloads.1password.com/mac/1Password.zip
  2. Install 1Password CLI: brew install --cask 1password/tap/1password-cli,
  3. Check whether 1Password CLI is installed: on --version
  4. Set up SSH config file: nano ~/.ssh/config and code below
host *
   IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
  1. Enable 1Password ssh agent:
    1. Open 1Password and choose 1Password > Preferences > Developer.
    2. Select the checkbox to "Use the SSH agent".
    3. Optional: Select the checkbox to "Display key names when authorizing connections".

# Adding keys

So much for the setup, now we can start adding keys.

  1. In 1Password, create a key for Bitbucket.
    1. Click "New Item" and select "SSH-key" and enter a name like "Bitbucket SSH key"
    2. Click "Add private key" and generate a new key
    3. Choose Ed25519 as key type (and not the ancient RSA) they are shorter, faster and more better.
      1. In some cases a server (mostly old ones) doesn't accept Ed25519 keys, when that is the case, generate a new RSA key.
  2. Login to Bitbucket, open your account settings (https://bitbucket.org/account/settings/ssh-keys/), and replace your current key with the new key you just created.
  3. Create a file in your ssh folder and paste your newly generated public key in there: nano ~/.ssh/bitbucket.pub
  4. Open your ssh config file and add the information below at the bottom of the file:
#
Host bitbucket
hostname bitbucket.org
PreferredAuthentications publickey
IdentityFile ~/.ssh/bitbucket
Port 22
IdentitiesOnly=yes

Now when you start your tower or do a git pull or push via CLI you will first get a prompt for your fingerprint, this will remain cached until you close your terminal window or exit tower.

# Troubleshooting

Some servers don't like the fact that you are offering multiple keys (to prevent bruteforcing) resulting in the following error:

Received disconnect from 188.166.125.219 port 22:2: Too many authentication failures
Disconnected from 188.166.125.219 port 22

Solution: add host settings to .ssh/config.

  1. Find the key in 1Password
  2. copy the public key
  3. create a keyname.pub file in your ~/.ssh folder and complete your ~/.ssh/config file as below.
#
Host verdel                          
hostname ssh033.hosting-cluster.nl
PreferredAuthentications publickey
User verdelnl
IdentityFile ~/.ssh/verdel
Port 22
IdentitiesOnly=yes
#
  1. After saving this file open a new tab or window in terminal and just type ssh verdel to connect to the server, it uses the defined host to setup the connection. This also works with rsync, just type rsync -rtuv verdel:/desired path

There are multiple ways to define these hosts but the example above is the most detailed and will also prevent errors when connecting to a server that has multiple keys for multiple domains (like the combell servers).