Ok I wished for this kind of feature for years. I started using a yubikey with an ssh key via gpg ssh-agent in 2018 or 2019. When resident ssh keys came around I switched over to FIDO2 based keys on my yubikey. The main issue with both was the fact that the default ssh setup wasn’t working anymore. One needs extra configs and more commands to get to the public key etc. Yubikey’s are great but block an USB port. And then there is the age old question for me: One SSH key per User for all services? One key per machine for all services? Or one key per service?
This year I started to play around with the 1Password ssh-agent feature (bit warden has it as well as far as I know)
If you're ok with allowing all your keys being listed in the agent this works pretty easy out of the box.
I never liked the fact that the default recommended way to use ssh is to use an agent that just has multiple keys which can be tested one after another and in most cases stay unlocked there after first use for the rest of the session.
I configured around to make sure that I explicitly use one key for one specific service. But that is sadly extra configuration etc etc.
I believe that in 1Passwd you can define / preselect a key per host now. So you can pinpoint key -> host. Some hosts have firewall rules that will block after X attempts were X might be low.
However the agent still has access to all your keys, obviously.
Ah cool. I worked around by storing the public keys in my dot repo and use the identity file ssh config option for said host. Great if I don’t have to do this anymore.
Next level config madness: Use different ssh keys per GitHub org ;).
