If you’re doing SSH keys right… they tend to accumulate…
- Keys unique to various environments or even specific hosts
- Rotation (new keys generated, old keys deprecated and phased out)
- They just pile-up and quickly!
This leads to eventual sadness:
sign_and_send_pubkey: signing failed for ED25519 "key-abc" from agent: agent refused operation
Received disconnect from 10.x.x.1 port 22:2: Too many authentication failures
I’ve mentioned this problem to ChatGPT from time to time and it has historically hallucinated promising but ultimately disapointingly nonsense “solutions.”
I got annoyed enough with this today to try something desperate… I… read (OK, Google’d and skimmed) the docs:
The order of the
[[ssh-keys]]sections in the agent config file determine the order the agent offers your keys to SSH servers. This helps to minimize the number of authentication attempts the SSH agent makes so you don’t run into the six-key limit (MaxAuthTries) that is the default for most SSH servers.
https://developer.1password.com/docs/ssh/agent/config/#add-individual-keys
I quickly became curious about the double bracket [[ ]] weirdness.
The syntax was unfamiliar, as I haven’t worked with TOML much, yet… At best, I know how to spell it… but extra nested brackets must be of some significance?
Ah-ha! It’s an array of tables… So… you can have multiple sections, this key from that vault on a specific account… Then those keys from the other vault and/or account.
This is perfect!
TL;DR:
~/.config/1Password/ssh/agent.toml:
If you have multiple
[[ssh-keys]]sections, each with multiple keys… the keys will be tried in the order they (theitem =lines) appear in each sectionThe sections in the config file will also be iterated through in order
If you skip the
vault =line all vaults will be used
[[ssh-keys]]
account = "your-work-1p-fqdn.1password.com"
vault = "private"
[[ssh-keys]]
account = "your-personal-1p-fqdn.1password.com"
item = "SSH key-abc" # By title
item = "mgbysqj5yk6caewcbtrptjvpie" # By ID
2025-05-05:
Wait… it gets even better!