You can configure home-manager ssh module to use local 1Password SSH agent socket, as well as forward this agent to external machines so that SSH-based operations (like git pull
) on that external machine will use the local 1Password keys via TouchID!
This obviates from having to keep private ssh keys from external machines. Everything is managed locally on mac by 1Password.
https://github.com/srid/nixos-config/blob/master/home/ssh.nix
I can already use the ssh key stored on my yubikey from remote hosts by passed the ssh -A
option when connecting, which then forwards the key to the agent on the host I'm connecting to. What I'm lacking is passing through things like my GPG key or configured OTP keys for passwordless sudo, but only when yubi is available
I want the same thing (sudo, etc.) but via 1Password.
https://1password.community/discussion/128353/sudo-support
Actually I guess there is a protocol called usbip and someone wrote a perl script for something like what I'm after:
https://github.com/turistu/usbip-ssh
However this script somewhat annoyingly is the reverse of what I'd like. It gives a client a way to expose a servers USB devices to the client. What I'd like is a way to forward the clients to the server so I can authenticate with the yubikey remotely.
I'm sure the script could be modified to do what I want though, I might have a crack at it later.
Last updated: Jan 18 2025 at 04:45 UTC