[wayland] signign failed: agent refused operation
After enabling the ssh agent (with or without the key name option) and editing ~/.ssh/config, I tried the suggested command and got the following output (without any prompt from 1password). 1password was running with an open window and unlocked.
$ ssh -T git@github.com sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation git@github.com: Permission denied (publickey).
Here's a truncated snippet from the verbose output that indicated that git was indeed getting the key from 1password.
$ ssh -T git@github.com -vvv ... debug1: Reading configuration data /home/andrea/.ssh/config debug1: /home/andrea/.ssh/config line 1: Applying options for * ... debug1: Will attempt key: ED25519 SHA256:u+azOc2MbA21U3SSq2Lj768c6ApkOV5f9wCmnPLLFkc agent ... debug1: Offering public key: ED25519 SHA256:u+azOc2MbA21U3SSq2Lj768c6ApkOV5f9wCmnPLLFkc agent ... debug1: Server accepts key: ED25519 SHA256:u+azOc2MbA21U3SSq2Lj768c6ApkOV5f9wCmnPLLFkc agent debug3: sign_and_send_pubkey: ED25519 SHA256:u+azOc2MbA21U3SSq2Lj768c6ApkOV5f9wCmnPLLFkc debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:u+azOc2MbA21U3SSq2Lj768c6ApkOV5f9wCmnPLLFkc sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation ... git@github.com: Permission denied (publickey).
Some information about my sistem:
- os: archlinux
- kernel: linux 5.16.9
- wayland compositor: river 0.2.0-dev-8943307
- 1password version: 8.6.0_6.BETA-6
- openssh version: 8.8p1
- git version: 2.35.1
1Password Version: 8.6.0_6.BETA-6
Extension Version: Not Provided
OS Version: linux 5.16.9
Comments
-
Do you see anything appear in
$HOME/.config/1Password/logswhen invoking the SSH request?0 -
Nope, no logs, not even in the subdirectories.
logs $ pwd /home/lupolucio/.config/1Password/logs logs $ tree [4.0K] . ├── [4.0K] BrowserSupport │ ├── [4.0K] KeyringHelper │ └── [ 880] 1Password_rCURRENT.log ├── [4.0K] KeyringHelper │ └── [ 130] 1Password_rCURRENT.log └── [ 101] 1Password_rCURRENT.log logs $ ssh -T git@github.com sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation git@github.com: Permission denied (publickey). logs $ tree [4.0K] . ├── [4.0K] BrowserSupport │ ├── [4.0K] KeyringHelper │ └── [ 880] 1Password_rCURRENT.log ├── [4.0K] KeyringHelper │ └── [ 130] 1Password_rCURRENT.log └── [ 101] 1Password_rCURRENT.log logs $ cat 1Password_rCURRENT.log INFO 2022-02-22T13:38:00.466 ThreadId(6) [client:typescript] 1Password is already running, closing. logs $ cat KeyringHelper/1Password_rCURRENT.log INFO 2022-02-22T13:38:00.754 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper logs $ cat BrowserSupport/1Password_rCURRENT.log INFO 2022-02-22T13:39:58.503 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/main.rs:148] Starting 1Password-BrowserSupport 8.6.0-6.BETA production build no. 80600006. INFO 2022-02-22T13:39:58.503 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/browser_verification/linux.rs:31] Verifying browser "/usr/lib/firefox/firefox" INFO 2022-02-22T13:39:58.506 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/browser_verification/linux.rs:45] Browser "/usr/lib/firefox/firefox" verified successfully INFO 2022-02-22T13:39:58.506 main(ThreadId(1)) [1P:native-messaging/op-browser-support-lib/src/communication_logic.rs:119] Starting SLS communication (attempting connection to desktop app) INFO 2022-02-22T13:39:58.510 main(ThreadId(1)) [1P:native-messaging/op-browser-support-lib/src/communication_logic.rs:184] Connected to the desktop app
0 -
Having run into this myself, it's potentially because you do not have a polkit authentication agent installed or running. See https://wiki.archlinux.org/title/Polkit#Authentication_agents for more details.
I ended up picking polkit-gnome and just make sure that I start
/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1in the background before attempting to use the SSH Agent.See if starting one of those authentication agents helps your situation.
0 -
Thanks for the answer, but I'm actually running that exact polkit agent.
0 -
Do you also have the "Unlock using system authentication service" setting under Settings > Security in the 1Password app enabled?
I found that I needed that checked, and that the polkit authorization agent installed before it started to work. Otherwise I noted the same behavior that you did.
0 -
"Unlock using system authentication service" was (and is) enabled.
The polkit agent is launched at login, immediately before running1password --silent.0 -
Sounds like we're configured identically, then! Other than I'm using Sway, rather than River.
Hopefully someone from the 1Password team can help with further debugging steps, since I also noticed that the logs do not seem to provide much help in this scenario.
0 -
After the update to
8.6.0_43.BETA-43I got the following output, even after disabling the agent, deleting the socket file, rebooting and enabling everything again.$ ssh -T git@github.com -vvv ... debug2: get_agent_identities: ssh_agent_bind_hostkey: communication with agent failed debug1: get_agent_identities: ssh_fetch_identitylist: communication with agent failed ... git@github.com: Permission denied (publickey).
0 -
I started seeing this issue around the same time as the beta 8.6.0_43.BETA-43, some time in the middle of the week. Unfortunately reverting to the previous 1P beta #26 did not fix the issue. I still got the following log messages as also reported above.
~ ᐅ ssh -T git@github.com -vvv ... debug2: get_agent_identities: ssh_agent_bind_hostkey: communication with agent failed debug1: get_agent_identities: ssh_fetch_identitylist: communication with agent failed ... git@github.com: Permission denied (publickey).
Since reverting the 1Password update didn't restore the old working state, my troubleshooting lead me to realize that the Arch openssh package was updated from v8.8p1 to v8.9p1 around the same time. Reverting to the version in the Arch repo archives dated 2022/02/22 restored the old working behavior. I haven't taken the time to track down exactly why this downgrade fixes this issue since the workaround of downgrading the package is working for me for the time being.
0 -
For those using OpenSSH 8.9: we've made some improvements to the SSH agent which should also fix this issue. It'll be available in the next beta update, but if you want to try it now already, you can switch to the Nightly release channel from the 1Password 8 preferences:
.0 -
@floris_1P is this the same as building from git? I'm supposedly on the latest version (80600043, on BETA channel) and this is still not fixed, I can't see the release channel in Arch though.
0 -
After the update to
8.6.0_51.BETA-51the behaviour is back to the one of the first post.
The only difference is that now the username@hostname is correctly shown in the error:$ ssh -T git@github.com sign_and_send_pubkey: signing failed for ED25519 "lupolucio@spettro" from agent: agent refused operation git@github.com: Permission denied (publickey).
After seeing another post I've tried the following:
$ ssh-add -l Could not open a connection to your authentication agent.
0 -
With the
8.6.0_68.BETA-68update it now works correctly.
Thank you very much for the support.0 -
It worked for me after removing github entry from
~/.ssh/known_hosts0 -
It looks like this issue is back with 1Password 8.7.0-49.BETA and OpenSSH_9.0p1, OpenSSL 1.1.1n 15 Mar 2022. Explicitly specifying an identity (
ssh -i) works around it for me.0 -
Thanks for the speedy response @floris_1P! I was seeing
agent refused operationbut that appears to have gone away today. Apologies for the false alarm. I think something was wrong with my polkit setup.0
