SSH: CC_ENV_EXTRACT_LIST missing SSH_AUTH_SOCK breaks 1Password SSH agent

Open 💬 11 comments Opened Mar 1, 2026 by jvkamp

Summary

Claude Code Desktop has two issues that break SSH connections for users of 1Password SSH agent (and likely other non-default SSH agents):

  1. SSH_AUTH_SOCK not imported from shell environment: The CC_ENV_EXTRACT_LIST whitelist in shellPathWorker.js does not include SSH_AUTH_SOCK. Claude Desktop always inherits the macOS default SSH agent socket (/private/tmp/com.apple.launchd.*/Listeners) instead of the user-configured agent.
  1. IdentityFile pointing to a .pub file crashes ssh2: 1Password's auto-generated SSH config sets IdentityFile to a .pub file (the agent handles the actual private key). Claude Desktop reads this file and passes it to ssh2 as privateKey, which throws "privateKey value does not contain a (valid) private key" instead of falling through to agent-based auth.

Steps to Reproduce

  1. Configure 1Password SSH agent (standard setup: SSH_AUTH_SOCK in shell profile + Include ~/.ssh/1Password/config + IdentityAgent in ~/.ssh/config)
  2. Verify ssh works from terminal
  3. Add an SSH connection in Claude Desktop
  4. Try to connect → fails with "privateKey value does not contain a (valid) private key" or falls back to password auth

Workaround

Both of the following are needed:

  1. In the SSH connection settings UI, set the Identity File field to none — this prevents ssh2 from reading the .pub file
  2. Launch Claude Desktop from terminal: SSH_AUTH_SOCK=~/.1password/agent.sock open -a Claude

Suggested Fix

  1. Add "SSH_AUTH_SOCK" to CC_ENV_EXTRACT_LIST in shellPathWorker.js
  2. When an IdentityFile fails to parse as a private key, skip it and fall through to agent auth instead of throwing

Environment

  • macOS Tahoe 26.3
  • Claude Desktop (latest as of 2026-02-28)
  • 1Password SSH agent

🤖 Generated with Claude Code

View original on GitHub ↗

This issue has 11 comments on GitHub. Read the full discussion on GitHub ↗