Unable to use 1Password SSH agent at work (RSA 2048, Azure DevOps)

XIII

Yesterday I tested the 1Password SSH agent with my personal stuff and everything seemed fine.

Today I wanted to use it at work as well, but everything fails...

• Git on the command line:

➜ git pull
sign_and_send_pubkey: signing failed: agent refused operation
user@domain1.com@domain2.com: Permission denied (password,publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

• SourceTree:

git -c color.branch=false -c color.diff=false -c color.status=false -c diff.mnemonicprefix=false -c core.quotepath=false -c credential.helper=sourcetree fetch origin 
sign_and_send_pubkey: signing failed: agent refused operation
user@domain1.com@domain2.com: Permission denied (password,publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
sign_and_send_pubkey: signing failed: agent refused operation
user@domain1.com@domain2.com: Permission denied (password,publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights

• Tower:

sign_and_send_pubkey: signing failed: agent refused operation
user@domain1.com@domain2.com: Permission denied (password,publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

We're using Azure DevOps and it only supports RSA keys of 2048 bits.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

XIII

PS: even after not using the 1Password SSH agent for our Azure DevOps server I still get an error which I did not have before yesterday:

➜ git pull
sign_and_send_pubkey: signing failed: agent refused operation
Already up to date.

smanojkarthick

We use RSA-2048 keys in PEM Format with AWS and they don't seem to work with the 1Password Agent. It gets imported into the app but the agent does not seem to offer them. I checked the public exponent and it seems to be fine too. I posted this on the Slack channel and they asked me to open a support issue with diagnostics - While I create a support ticket, I figured I would add to more context here since this seems to be a similar issue.

Some details that might be useful:

Public Exponent:

❯ openssl rsa -text -in ~/.ssh/key.pem | grep publicExponent
writing RSA key
publicExponent: 65537 (0x10001)

❯ head -n1 ~/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----

These are the entries on the 1Password App. You can see six keys in total, three are Ed25519 and the others are RSA 2048bit

This is the output when I try to list the keys available in the 1Password agent. The Ed25519 keys are offered but the RSA 2048 ones are not.

XIII

The Public Exponent is the same for my key.

However, my RSA 2048 key does show up in the output of ssh-add -l.

Still I cannot use the 1Password SSH agent with this key.

K.J._1P

Thanks for testing! I appreciate your feedback. RSA keys are expected to work and this is a surprising issue. I appreciate your detailed response.

Are you able to share your OpenSSH version?

$ ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021

smanojkarthick

I'm using the default SSH client on macOS Monterrey/Big Sur. I'm able to reproduce this on both systems.

• Monterrey machine: OpenSSH_8.6p1, LibreSSL 2.8.3
• Big Sur machine: OpenSSH_8.1p1, LibreSSL 2.7.3

I also gave it a shot using the openssh formula from homebrew and noticing the same behaviour :

❯ which ssh
/opt/homebrew/bin/ssh

❯ ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021

❯ SSH_AUTH_SOCK="$HOME/.1password/agent.sock" ssh-add -l
256 SHA256:<redacted>  (ED25519)
256 SHA256:<redacted> (ED25519)
256 SHA256:<redacted>  (ED25519)

XIII

I'm using the default ssh from macOS Big Sur 11.6.4:

➜ which ssh
/usr/bin/ssh
➜ ssh -V
OpenSSH_8.1p1, LibreSSL 2.7.3

XIII

PS: looking at the Homebrew path @smanojkarthick is probably using an M1 Mac. I'm still on Intel.

(not sure whether that matters)

K.J._1P

Thanks for the additional info. Just to double check, all of the keys are in your Private vault? Currently, the agent only offers keys from Private vaults.

smanojkarthick

That’s right @XIII ! Just tried it, I can also reproduce this issue on my Intel MacBook. So I’m guessing that probably doesn’t matter.

XIII

@K.J._1P Maybe we're mixing up terminology, but my keys are in my Personal vault (I believe Personal is used with 1password.com subscriptions, while Private was used for stand-alone vaults?).

Do these logs help?

Successful login using a private key stored as a file on my filesystem:

debug3: sign_and_send_pubkey: RSA SHA256:<fingerprint>
debug3: sign_and_send_pubkey: signing using ssh-rsa
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).

Failed login using 1Password SSH Agent:

debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/me/.ssh/key-1password.pub RSA SHA256:<fingerprint> explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/me/.ssh/key-1password.pub RSA SHA256:<fingerprint4> explicit agent
debug3: sign_and_send_pubkey: RSA SHA256:<fingerprint>
debug3: sign_and_send_pubkey: signing using ssh-rsa
sign_and_send_pubkey: signing failed: agent refused operation

The redacted <fingerprint> is identical in all places.

(I'm using your Match key with host approach)

K.J._1P

Thanks! It appears like there is an attempt to use the key but 1Password is failing to sign with it. It might be that the server only supports SHA1. There is a known limitation that servers must support rsa-sha2-256 or rsa-sha2-512. These were added in OpenSSH 5.9.

Could that be the case with the server you are testing? ssh -vvv should list the supported algorithms.

XIII

I'm not sure what to look for. This?

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: ssh-rsa

(it's a self-hosted Azure DevOps server in a large organisation; I have no direct contact with the administrators)

K.J._1P

It should be in the kex_input_ext_info.

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

Additionally, sign_and_send_pubkey will typically indicate one of these two formats if they are being used:

debug3: sign_and_send_pubkey: signing using rsa-sha2-512 ...

Reading the logs you shared, it seems like the server does not support rsa-sha2.

Edit: Looking into this further, it's unclear if Azure DevOps supports rsa-sha2. rsa-sha1 is considered weak and not enabled by default in most clients. I'll continue to investigate.

XIII

Thanks.

I would not be surprised though, since I cannot use Ed25519 keys there as well; they only allow 2048 bits RSA keys (not even 4096 bits).

I wish you guys could educate our IT department!

(for example they still require me to change my password every 90 days; see your recent blog post;)

PS: the ssh -vvv output contains

• no server-sig-algs
• only these sign_and_send_pubkey lines:

debug3: sign_and_send_pubkey: RSA SHA256:<fingerprint>
debug3: sign_and_send_pubkey: signing using ssh-rsa

K.J._1P

After doing some research, Azure DevOps only supports ssh-rsa, which is unfortunate. Currently, there is not a way to make 1Password SSH work with an Azure DevOps server, including the cloud ssh.dev.azure.com.

I've noted this use case internally, but it will require further discussion if it is acceptable to support a weak algorithm. At the very least, a better error message is needed!

Thanks so much for your testing and detailed feedback.

https://docs.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops#q-what-do-i-do-if-im-still-prompted-for-my-password-and-git_ssh_commandssh--v-git-fetch-shows-no-mutual-signature-algorithm

XIII

Since AgileBits is moving towards enterprises, you might consider supporting this?

The company using this technology has over 75,000 employees worldwide. Does that qualify as enterprise?

K.J._1P

Thanks for sharing @XIII. I've noted a few different widely used services that all only support ssh-rsa and this is something that we are actively discussing internally.

ant59

Seeing the same issue after restarting my computer.

❯ ssh -vvvT git@github.com
OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
...
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key:  ED25519 SHA256:2uM6MfX+6Vy3M2nmg0jMZH53KiHmh01+5/67BROjeUc agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key:  ED25519 SHA256:2uM6MfX+6Vy3M2nmg0jMZH53KiHmh01+5/67BROjeUc agent
debug3: sign_and_send_pubkey: ED25519 SHA256:2uM6MfX+6Vy3M2nmg0jMZH53KiHmh01+5/67BROjeUc
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:2uM6MfX+6Vy3M2nmg0jMZH53KiHmh01+5/67BROjeUc
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
debug1: Offering public key:  ED25519 SHA256:NzlMuRTTFQA++mNliWTcmbGWZGvloFijRU9UAGHCrH4 agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key:  ED25519 SHA256:NzlMuRTTFQA++mNliWTcmbGWZGvloFijRU9UAGHCrH4 agent
debug3: sign_and_send_pubkey: ED25519 SHA256:NzlMuRTTFQA++mNliWTcmbGWZGvloFijRU9UAGHCrH4
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:NzlMuRTTFQA++mNliWTcmbGWZGvloFijRU9UAGHCrH4
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
...
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

❯ uname -a
Linux 5.16.10-arch1-1 #1 SMP PREEMPT Wed, 16 Feb 2022 19:35:18 +0000 x86_64 GNU/Linux

❯ cat 1Password_rCURRENT.log
...
INFO  2022-02-21T10:58:58.910 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/unlock.rs:89] Lock state changed: Unlocked
INFO  2022-02-21T11:06:12.378 tokio-runtime-worker(ThreadId(7)) [1P:ssh/op-ssh-agent/src/lib.rs:290] Session was not authorized
INFO  2022-02-21T11:06:12.502 tokio-runtime-worker(ThreadId(14)) [1P:op-automated-unlock/src/lib.rs:389] New unlock was suppressed because a previous unlock was rejected or the lock screen was displayed.
INFO  2022-02-21T11:06:12.502 tokio-runtime-worker(ThreadId(14)) [1P:ssh/op-ssh-agent/src/lib.rs:290] Session was not authorized

Tried restarting 1Password. Tried restarting PC. Nothing seems to work. 1Password refuses to sign. 1Password is open and unlocked.

Any progress made on this?

K.J._1P

@ant59 This appears like a different issue than mentioned earlier in the thread. The previous issue was for ssh-rsa (RSA with SHA1), however, the log you shared looks like ssh-ed25519 was being used and that algorithm is supported.

Thanks for sharing the 1Password logs. It seems like the issue is that 1Password thinks that the user has been prompted and they dismissed the prompt. Do you have system authorization enabled in 1Password and is it working when unlocking 1Password? Thanks!

https://support.1password.com/system-authentication-linux/

ant59

Apologies for posting a different issue in the thread. I thought it looked similar.

I do not have system authorisation turned on. Is it a requirement for the SSH agent?

K.J._1P

At this time, it is a requirement on Linux and Windows. This is something we would like to improve. It's very easy to miss in the documentation (also an area for improvement). Let me know if I can help further!

https://developer.1password.com/docs/ssh/get-started#:~:text=To use the 1Password SSH agent on Linux

ant59

I installed a polkit agent and turned on system authentication. It now prompts me for my system password when using SSH keys and the functionality is perfect. Thank you very much for the help. I completely missed the info box on system authentication in the documentation.

K.J._1P

No problem! I'm glad it's working for you!

bliles

Here are two related issues:
https://developercommunity.visualstudio.com/t/Support-non-RSA-keys-for-SSH-authenticat/365980
https://developercommunity.visualstudio.com/t/Git-SSH-access-offers-weak-algorithms-r/1547526

They both highlight that ADO's support for modern SSH keys and encryption standards is lacking. If you're prevented from using 1Password for SSH because of ADO's limitations perhaps you can upvote those issues.

rodneyt

This issue wasted a lot of time for me yesterday as I couldn't determine why SSH 1password was failing and ended up exploring lots of different things before figuring out it was a 1password update that had broken my workflow. Switched to nightly build has fixed.

floris_1P

@XIII An update on ssh-rsa: the latest 1Password beta now supports this, so you should be able to use the SSH agent with Azure DevOps.

XIII

Yes, I'm already running that. Works great! Thank you!