Skip to content

README.md

Latest commit

 

History

History
138 lines (96 loc) · 3.62 KB

README.md

File metadata and controls

138 lines (96 loc) · 3.62 KB

op-ssh-load

Load SSH keys from 1Password into your ssh-agent on headless Linux servers.

Private keys are piped directly from 1Password to ssh-add and never touch the filesystem.

Prerequisites

Install

There are two ways to install: the install script or manually.

Option A: Install script

The install script downloads op-ssh-load, prompts you for your service account token, and configures everything:

bash <(curl -sSfL https://raw.githubusercontent.com/narasaka/op-ssh-load/main/install.sh)

Option B: Manual install

  1. Download the script:
mkdir -p ~/.local/bin
curl -sSfL https://raw.githubusercontent.com/narasaka/op-ssh-load/main/op-ssh-load -o ~/.local/bin/op-ssh-load
chmod +x ~/.local/bin/op-ssh-load

Most Linux distributions add ~/.local/bin to your PATH by default. If yours does not, add this to your shell's config file (~/.bashrc, ~/.zshrc, ~/.profile, etc.):

export PATH="$HOME/.local/bin:$PATH"
  1. Configure your service account token:
mkdir -p ~/.config/op
chmod 700 ~/.config/op
echo 'YOUR_SERVICE_ACCOUNT_TOKEN' > ~/.config/op/service-account-token
chmod 600 ~/.config/op/service-account-token

Replace YOUR_SERVICE_ACCOUNT_TOKEN with your actual token (starts with ops_).

Alternatively, export it as an environment variable:

export OP_SERVICE_ACCOUNT_TOKEN="ops_..."

Set up ssh-agent auto-start (optional)

The install script (Option A) offers to configure this automatically.

To set it up manually, add this to your shell's config file (~/.bashrc, ~/.zshrc, ~/.profile, etc.). The snippet is POSIX-compatible and works in Bash, Zsh, and other POSIX shells:

SSH_ENV="$HOME/.ssh/agent-env"
if [ -z "${SSH_AUTH_SOCK:-}" ]; then
  if [ -f "$SSH_ENV" ]; then
    . "$SSH_ENV" > /dev/null
    if ! kill -0 "$SSH_AGENT_PID" 2>/dev/null; then
      eval "$(ssh-agent -s)" > /dev/null
      echo "export SSH_AUTH_SOCK=$SSH_AUTH_SOCK; export SSH_AGENT_PID=$SSH_AGENT_PID" > "$SSH_ENV"
      chmod 600 "$SSH_ENV"
    fi
  else
    mkdir -p "$HOME/.ssh"
    eval "$(ssh-agent -s)" > /dev/null
    echo "export SSH_AUTH_SOCK=$SSH_AUTH_SOCK; export SSH_AGENT_PID=$SSH_AGENT_PID" > "$SSH_ENV"
    chmod 600 "$SSH_ENV"
  fi
fi

Then reload your shell (or open a new terminal):

exec "$SHELL"

Usage

Load all SSH keys from 1Password:

op-ssh-load

List available SSH keys without loading them:

op-ssh-load --list

Load a specific key by name:

op-ssh-load "GitHub"

Clear the agent and reload all keys:

op-ssh-load --clear

Verify keys are loaded:

ssh-add -l

How it works

  1. The script reads your service account token from ~/.config/op/service-account-token (or the OP_SERVICE_ACCOUNT_TOKEN environment variable).
  2. It queries 1Password for all items with the "SSH Key" category across accessible vaults.
  3. For each key, it calls op read with the ?ssh-format=openssh query parameter to get the private key in OpenSSH format.
  4. The key is piped directly to ssh-add /dev/stdin. The private key is never written to disk.

Creating a service account

  1. Sign in to 1password.com.
  2. Go to Integrations, then Service Accounts.
  3. Create a new service account.
  4. Grant it read access to the vault(s) containing your SSH keys.
  5. Copy the token and store it as described above.

License

MIT