SSH: CC_ENV_EXTRACT_LIST missing SSH_AUTH_SOCK breaks 1Password SSH agent
Open 💬 11 comments Opened Mar 1, 2026 by jvkamp
Summary
Claude Code Desktop has two issues that break SSH connections for users of 1Password SSH agent (and likely other non-default SSH agents):
SSH_AUTH_SOCKnot imported from shell environment: TheCC_ENV_EXTRACT_LISTwhitelist inshellPathWorker.jsdoes not includeSSH_AUTH_SOCK. Claude Desktop always inherits the macOS default SSH agent socket (/private/tmp/com.apple.launchd.*/Listeners) instead of the user-configured agent.
IdentityFilepointing to a.pubfile crashes ssh2: 1Password's auto-generated SSH config setsIdentityFileto a.pubfile (the agent handles the actual private key). Claude Desktop reads this file and passes it to ssh2 asprivateKey, which throws"privateKey value does not contain a (valid) private key"instead of falling through to agent-based auth.
Steps to Reproduce
- Configure 1Password SSH agent (standard setup:
SSH_AUTH_SOCKin shell profile +Include ~/.ssh/1Password/config+IdentityAgentin~/.ssh/config) - Verify
sshworks from terminal - Add an SSH connection in Claude Desktop
- Try to connect → fails with "privateKey value does not contain a (valid) private key" or falls back to password auth
Workaround
Both of the following are needed:
- In the SSH connection settings UI, set the Identity File field to
none— this prevents ssh2 from reading the.pubfile - Launch Claude Desktop from terminal:
SSH_AUTH_SOCK=~/.1password/agent.sock open -a Claude
Suggested Fix
- Add
"SSH_AUTH_SOCK"toCC_ENV_EXTRACT_LISTinshellPathWorker.js - When an
IdentityFilefails to parse as a private key, skip it and fall through to agent auth instead of throwing
Environment
- macOS Tahoe 26.3
- Claude Desktop (latest as of 2026-02-28)
- 1Password SSH agent
🤖 Generated with Claude Code
This issue has 11 comments on GitHub. Read the full discussion on GitHub ↗