Just tried to configure 1Password SSH and am having trouble (Windows 11)

TMoneyAllDey

Hi, I get an error when I try the test recommended in the set up document. When I run ssh -T git@github.com, I get

sign_and_send_pubkey: signing failed: agent refused operation
git@github.com: Permission denied (publickey).

I'm using an existing RSA pem key I've used for github for many years. I imported it into 1Password and the fingerprint in github and in 1password match exactly. I installed the beta 8 version, I disabled openSSH service on my windows 11 machine, and I enabled the 1password SSH service in settings. I also turned on Windows Hello and set a pin. After all this, I restarted 1password.

If I run ssh-add -l, I see the single fingerprint I have imported into 1password.

If I go into 1password and disable the ssh service, I get

Error connecting to agent: No such file or directory

when running ssh-add -l so 1password SSH service is certainly being used

I just tried this command and found more info. ssh -vT git@github.com

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key:  RSA SHA256:xxx agent
debug1: Server accepts key:  RSA SHA256:xxx agent
sign_and_send_pubkey: signing failed: agent refused operation

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Windows 11

SV337

Hi, I'm experiencing the same exact issue, I'm on Arch Linux on the latest desktop beta version.
However, ssh-add -l gives me

Error connecting to agent: No such file or directory

Of course, I enabled the SSH service in the settings as well.

TMoneyAllDey

@SV337, did you enable the service in the 1Password desktop app?

TMoneyAllDey

Further edits, if I generate a new SSH key and set up github, it works. My old password-protected PEM key is the one that fails. Very strange.

SV337

@TMoneyAllDey yes I enabled everything. That's weird because I also tried to generate a new SSH key and link it to Github but it didn't work. Did you use an RSA or Ed25519 key type ?

TMoneyAllDey

@SV337 , I used the new Ed25519 since my old keys are all RSA.

TMoneyAllDey

Your error reads like the 1password ssh service is failing to load. Can you try this command ssh -vT git@github.com?

SV337

Sure, I get more or less the same thing as you did:

debug1: Will attempt key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
debug1: Will attempt key:  ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
debug1: Will attempt key:  ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
debug1: Will attempt key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
[...]
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
debug1: Server accepts key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
debug1: Offering public key:  ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key:  ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
debug1: Server accepts key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
[...]
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

I have 4 keys setup on 1password at the moment, so I'm guessing it's able to retrieve these from the agent correctly.

SV337

@TMoneyAllDey Sure, I get more or less the same thing as you did:

debug1: Will attempt key:  ED25519 SHA256:<sha256sum> agent
debug1: Will attempt key:  ED25519 SHA256:<sha256sum> agent
debug1: Will attempt key:  ED25519 SHA256:<sha256sum> agent
debug1: Will attempt key:  ED25519 SHA256:<sha256sum> agent
[...]
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key:  ED25519 SHA256:<sha256sum> agent
debug1: Server accepts key:  ED25519 SHA256:<sha256sum> agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
debug1: Offering public key:  ED25519 SHA256:<sha256sum> agent
debug1: Authentications that can continue: publickey
debug1: Offering public key:  ED25519 SHA256:<sha256sum> agent
debug1: Authentications that can continue: publickey
debug1: Offering public key:  ED25519 SHA256: agent
debug1: Server accepts key:  ED25519 SHA256:<sha256sum> agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
[...]
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

I have 4 SSH keys on my 1Password vault at the moment, so it looks like it is able to retrieve these from the agent correctly.

TMoneyAllDey

Yeah, it looks like it is picking them up. We might have to wait until a 1password tech gets here.

ndom91

Interesting, I'm pretty much at the same place.

I've added a few of my keys to my vault, and ssh-add -l lists them all. When testing it with git@github.com, my systems behavior is pretty much the same as OP.

❯ ssh -vT git@github.com
OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
debug1: Reading configuration data /home/ndo/.ssh/config
debug1: /home/ndo/.ssh/config line 11: Applying options for github.com
debug1: /home/ndo/.ssh/config line 541: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to github.com [140.82.121.4] port 22.
debug1: Connection established.
debug1: identity file /home/ndo/.ssh/id_ndo4.pub type 0
debug1: identity file /home/ndo/.ssh/id_ndo4.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version babeld-e1420b26
debug1: compat_banner: no match: babeld-e1420b26
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /home/ndo/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:abc123
debug1: load_hostkeys: fopen /home/ndo/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /home/ndo/.ssh/known_hosts:41
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/ndo/.ssh/id_ndo4.pub RSA SHA256:abc123 explicit agent
debug1: Will attempt key:  RSA SHA256:abc123 agent
debug1: Will attempt key:  ED25519 SHA256:abc123 agent
debug1: Will attempt key:  RSA SHA256:abc123 agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/ndo/.ssh/id_ndo4.pub RSA SHA256:abc123 explicit agent <-- this is the correct public key that should work imo
debug1: Server accepts key: /home/ndo/.ssh/id_ndo4.pub RSA SHA256:abc123 explicit agent
sign_and_send_pubkey: signing failed for RSA "/home/ndo/.ssh/id_ndo4.pub" from agent: agent refused operation
debug1: Offering public key:  RSA SHA256:abc123 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key:  ED25519 SHA256:abc123 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key:  RSA SHA256:abc123 agent
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).
~
❯ ssh-add -l
2048 SHA256:abc123  (RSA)
4096 SHA256:abc123  (RSA)
256 SHA256:abc123  (ED25519)
2048 SHA256:abc123  (RSA)

I see the agent.sock file in ~/.1password/ and lsof says an active 1Password process has it open.

I wanted to add, my .ssh/config entry for github.com looks like this:

host github.com
  user git
  IdentityAgent "~/.1password/agent.sock"
  IdentityFile ~/.ssh/id_ndo4.pub

System:
Arch Linux 5.17
OP Cli 2.0.0-beta.12
OP App 8.6.0

innocenzi

I'm having a similar issue on Windows, where the SSH key works, but I still get sign_and_send_pubkey: signing failed: agent refused operation.

➜  ssh -T git@github.com
sign_and_send_pubkey: signing failed: agent refused operation
Hi xxx! You've successfully authenticated, but GitHub does not provide shell access.

➜  ssh-add -l
256 SHA256:xxx  (ED25519)

EDIT: well, in my case, restarting the gpg agent fixed it!

SV337

Sure, I get more or less the same thing as you can

debug1: Will attempt key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
debug1: Will attempt key:  ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
debug1: Will attempt key:  ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
debug1: Will attempt key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
[...]
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
debug1: Server accepts key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
debug1: Offering public key:  ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key:  ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
debug1: Server accepts key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
[...]
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

I have 4 SSH keys on my 1Password vault at the moment, so it looks like it is able to retrieve these from the agent correctly.

ndom91

In my ~/.config/1Password/logs/1Password_rCURRENT.log file, I now see a bunch of lines of

WARN  2022-02-19T12:31:26.930 tokio-runtime-worker(ThreadId(4)) [1P:ssh/op-ssh-agent/src/lib.rs:252] Unable to get client_info for pid: 123

Whenever I try to use the agent, i.e. with the Github test cmd (ssh -T git@github.com) and see the agent refused operationo error message.

Before these error messages, I do see some INFO type messages that the SSH agent was successfully started though!

SV337

Just a quick message to say that the issue was coming from tmux on my side. It is apparently a known issue that the 1Password team is working on.

When trying it under alacritty + zsh without tmux it is working fine. I'll wait for the fix to land to start using it!

ndom91

@SV337 thanks for the update! I tried it without tmux, however with alacritty + bash, and still wasn't able to get it to work. Sounds like the team is on it though, I'll hang tight as well and keep an eye on this thread! :)

In case it helps, the 1Password_rCURRENT.log file now said Session was not authorized for each attempt from that alacritty / bash (w/o Tmux) window.

I tried restarting the agent by unchecking and rechecking the option in the desktop 1P 8 client and saw SSH Agent is stopping and then SSH agent is starting in the logs. However, it immediately went back to Session was not authorized after attempting to login via SSH with the Agent set in ~/.ssh/config.

I also intermittently had messages saying New unlock was suppressed because a previous unlock was rejected or the lock screen was displayed, between these "Session not authorized" logs.

floris_1P

Hey all, we've implemented some fixes that could solve some of the issues mentioned above, which are available on the latest stable and beta release.

Let us know if that fixes your issues.

@TMoneyAllDey For the Windows issue with RSA, do you see anything appear in the logs (%LOCALAPPDATA%/1Password/logs) when you run your SSH command? And you're saying it does work when you generate a new Ed25519 key using 1Password, but what happens if you generate a new RSA key using 1Password?

chatii

I am experiencing similar problems.

• 1Password for Mac 8.6.0 80600081, on BETA channel
• 1Password for Mac 8.7.0 80700002, on BETA channel

Created Ed25519 key for GitHub in 1Password and set IdentityAgent in ~/.ssh/config.
(There are no other settings in ~/.ssh/config).
And ssh -T git@github.com succeeded.

Next, a key was created with RSA (4096 bits) to connect to another host.
ssh user@my-host and was prompted to unlock by Touch ID, but could not connect.
When the -vT option was enabled, the following log was displayed.

...
debug1: Will attempt key: GitHub SSH chatii ED25519 SHA256:{} agent
debug1: Will attempt key: insprout ProxyServer chatii SSH Key RSA SHA256:{} agent
...
debug1: Authentications that can continue: publickey
debug1: Offering public key: my host RSA SHA256:{} agent
debug1: Server accepts key: my host RSA SHA256:{} agent
sign_and_send_pubkey: signing failed for RSA "my host SSH Key" from agent: agent refused operation
...
debug1: No more authentication methods to try.
user@myhost: Permission denied (publickey).

To find out where the problem lies, copy the private key generated by 1Password to ~/.ssh/my-host and try ssh -i ~/.ssh/my-host user@myhost - this method works.

I have also tried disabling and enabling the SSH agent in 1Password and upgrading (8.6.0 => 8.7.0), but this does not fix the problem.

K.J._1P

@chatii A possible cause is the client/server is attempting key exchange with ssh-rsa (RSA with SHA1) which is not supported. 1Password currently only supports rsa-sha2-512 and rsa-sha2-256 for RSA keys. A quick way to test is with the following command:

# Github supports rsa-sha2 and it takes precedence over ssh-rsa
ssh -vvT git@github.com ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa

# Azure DevOps only supports ssh-rsa
ssh -vvT git@ssh.dev.azure.com ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
debug2: host key algorithms: ssh-rsa

If rsa-sha2 is supported, but has lower preference than ssh-rsa, PubkeyAcceptedKeyTypes in ~/.ssh/config can be used to remove it from the proposed lois

chatii

@K.J._1P oh I see, I understand..!

I really like 1Password's policy of not supporting unsecured key formats.
I was able to learn more about SSH because of the specific suggestions made. Thank you!

I tried

❯ cat ~/.ssh/config

Host target-onpremise-host
    HostName AAA.BBB.CCC.DDD
    Port 8022
    User chatii
    IdentityFile "~/.ssh/target-onpremise-host"

❯ ssh -vvT target-onpremise-host ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
debug2: host key algorithms: ssh-rsa,ssh-dss

chatii

@K.J._1P oh I see, I understand..!

I really like 1Password's policy of not supporting unsecured key formats.
I was able to learn more about SSH because of the specific suggestions made. Thank you!

I tried

❯ cat ~/.ssh/config

Host target-onpremise-host
    HostName AAA.BBB.CCC.DDD
    Port 8022
    User chatii
    IdentityFile "~/.ssh/target-onpremise-host"

❯ ssh -vvT target-onpremise-host ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
debug2: host key algorithms: ssh-rsa,ssh-dss

ascarter

I am not seeing this issue for the offered key types. Instead I saw this is in my log using the GitHub test:

ssh -T git@github.com

WARN  2022-04-11T19:43:23.382 ThreadId(1) [1P:foundation\op-windows\src\windows\window.rs:222] failed to bring window to the foreground
INFO  2022-04-11T19:43:28.355 op_executor:invocation_loop(ThreadId(12)) [1P:op-app\src\app\backend\frontend.rs:24] Front end event: window closed
WARN  2022-04-11T19:43:43.148 ThreadId(1) [1P:foundation\op-windows\src\windows\window.rs:222] failed to bring window to the foreground

I quit 1Password and re-launched it. Now I'm getting the pop up authorization window. So something caused the auth window to not show up. This was after a reboot and I have 1P set to startup automatically.