Yeraze.com Blog
Yeraze.com Blog
AboutPatentsPublications
1Password & Github SSH Keys on Windows
šŸ”

1Password & Github SSH Keys on Windows

Tags
Tips & Tricks
Software Development
Published
November 25, 2022
Author
Randall Hand
URL
The most recent version of 1Password from Agilebits had added some great new features, and one I particularly love is SSH Keys. By establishing 1Password as your SSH Key Agent, you can let it store (or generate!) ssh keys and synchronize them across multiple devices, just like passwords. With this, Iā€™m finally able to have a single SSH key setup for accessing my various Github and raspberry PI devices, without having to manage a separate key per device. It also means I can authenticate my SSH keys via whatever biometrics the local device supports (on Macs that TouchID ,on Windows thatā€™s Windows Hello).
However, thereā€™s one big problem that it seems everyone using SSH keys runs into when doing development: GitHub.

The Problem

Git, and Github, supports (and recommends) using SSH Keys for authentication. Not only are they safer, but SSH is typically faster than HTTPS due to the various compression that SSH adds in. I wonā€™t get into the details of how to set it up, there are plenty of other guides for that.
The problem is one of security:
  • GitHub authenticates all SSH connections as the user git@github.com
  • GitHub identifies the specific user via their SSH key
  • GitHub only allows an SSH key to be used by a single account (because itā€™s not only authentication but identification)
For people working in Mac or Linux, that usually means cryptic .ssh/config files where they define multiple virtual hostnames that select a specific key, then rewriting their git origin URLā€™s from git@github.com:repo.git to personalgit:repo.git. Again, lots of guides online.

The 1Password Wrinkle

When youā€™re on a windows computer, you run into this same problem. Some tools like GitHub Desktop have built-in ways around this, but if you want to use the commandline git tools integrated with things like Sublime Text or VSCode, you have to find a more generic solution.
Looking in the 1Password documentation, you might immediately be disheartened to see this:
Windows doesn't have the same flexibility as macOS and Linux when it comes to theĀ ~/.ssh/configĀ file. This is because theĀ \\.\pipe\openssh-ssh-agentĀ pipe that Microsoft OpenSSH listens to is fixed. If you want to use the 1Password SSH agent on Windows, you'll need to allow it to authenticate for all hosts.
I tried a few things and didnā€™t get very far. I reached out to 1Password support on twitter and via email and initially got some rather disheartening news:
I am sorry to say that Windows does not have the option to use 1Password Agent for multiple hosts like Mac and Linux, so if you want to use different keys on Windows, we will need to remove 1Password as the global agent and add your private keys to the config file.
Well that seemed pretty short-sighted from a company like AgileBits (creator of 1Password). Thankfully, they escalated it internally and a higher-level engineer reached out with a solution.

The Solution

The solution is basically the same as for Mac & Linux, just with some Windows flavor added.
  1. First, you have to export the Public key from your github keys and save them in your personal folder.
      2. To do this, download your public key for the first account from the 1Password desktop app using the down arrow on the public key field. Rename it toĀ work.pubĀ orĀ personal.pubĀ as necessary, and repeat with the other key. Put both public keys in theĀ .sshĀ folder in your Windows user account directory found atĀ C:/Users/Username.
  1. After saving both public keys to theĀ .sshĀ folder, edit theĀ configĀ file in theĀ .sshĀ folder, and build a configuration like so:
      2. For your work GitHub account, create a host entry as follows: Host workgit HostName github.com User git IdentityFile ~/.ssh/work.pub IdentitiesOnly yes
      For your personal GitHub account, create a host entry like this: Host personalgit HostName github.com User git IdentityFile ~/.ssh/personal.pub IdentitiesOnly yes
  1. At this point, if everything is functioning properly, you should be able to do ssh personalgit and, despite SSH throwing an error and immediately dumping you back to a prompt, see a message from Github recognizing your username. Similarly, if you ssh workgit youā€™ll see it recognize the other account.
      2. notion image
  1. This is the part that is tricky. By default, git on windows includes its own internal SSH that doesnā€™t recognize this setup. To make it use the OpenSSH version that interfaces with 1Password, you need to do the following: git config --global core.sshCommand "C:\\Windows\\System32\\OpenSSH\\ssh.exe"
Once thatā€™s done, you should be good to rewrite your individual repo remotes. That can be done through something like one of the two commands below:
git remote set-url origin set-url personalgit:<Username>/<reponame>.git
git remote set-url origin set-url workgit:<Username>/<reponame>.git

Conclusion

After using this for a few days, I can say it works great! Now I can directly push code from inside VSCode or via commandline, and on my Windows Laptop I get a quick Windows Hello PIN verification and itā€™s done!
Itā€™s a bit annoying to have to mentally modify the URLā€™s every time I want to clone a new repo, however. The built-in dropdown visible in github still shows git@github.com at the beginning of every SSH clone, and I have to rewrite it over to the appropriate account if I want things to function properly (Usually I can clone without issue, itā€™s just if I ever want to submit back).
Hope you find this helpful!