[wayland] signign failed: agent refused operation

lupolucio
lupolucio
Community Member
edited May 2022 in SSH

After enabling the ssh agent (with or without the key name option) and editing ~/.ssh/config, I tried the suggested command and got the following output (without any prompt from 1password). 1password was running with an open window and unlocked.

$ ssh -T git@github.com
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
git@github.com: Permission denied (publickey).

Here's a truncated snippet from the verbose output that indicated that git was indeed getting the key from 1password.

$ ssh -T git@github.com -vvv
...
debug1: Reading configuration data /home/andrea/.ssh/config
debug1: /home/andrea/.ssh/config line 1: Applying options for *
...
debug1: Will attempt key:  ED25519 SHA256:u+azOc2MbA21U3SSq2Lj768c6ApkOV5f9wCmnPLLFkc agent
...
debug1: Offering public key:  ED25519 SHA256:u+azOc2MbA21U3SSq2Lj768c6ApkOV5f9wCmnPLLFkc agent
...
debug1: Server accepts key:  ED25519 SHA256:u+azOc2MbA21U3SSq2Lj768c6ApkOV5f9wCmnPLLFkc agent
debug3: sign_and_send_pubkey: ED25519 SHA256:u+azOc2MbA21U3SSq2Lj768c6ApkOV5f9wCmnPLLFkc
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:u+azOc2MbA21U3SSq2Lj768c6ApkOV5f9wCmnPLLFkc
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
...
git@github.com: Permission denied (publickey).

Some information about my sistem:

  • os: archlinux
  • kernel: linux 5.16.9
  • wayland compositor: river 0.2.0-dev-8943307
  • 1password version: 8.6.0_6.BETA-6
  • openssh version: 8.8p1
  • git version: 2.35.1

1Password Version: 8.6.0_6.BETA-6
Extension Version: Not Provided
OS Version: linux 5.16.9

Comments

  • Do you see anything appear in $HOME/.config/1Password/logs when invoking the SSH request?

  • lupolucio
    lupolucio
    Community Member

    Nope, no logs, not even in the subdirectories.

    logs $ pwd
    /home/lupolucio/.config/1Password/logs
    
    logs $ tree
    [4.0K]  .
    ├── [4.0K]  BrowserSupport
    │   ├── [4.0K]  KeyringHelper
    │   └── [ 880]  1Password_rCURRENT.log
    ├── [4.0K]  KeyringHelper
    │   └── [ 130]  1Password_rCURRENT.log
    └── [ 101]  1Password_rCURRENT.log
    
    logs $ ssh -T git@github.com
    sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
    git@github.com: Permission denied (publickey).
    
    logs $ tree
    [4.0K]  .
    ├── [4.0K]  BrowserSupport
    │   ├── [4.0K]  KeyringHelper
    │   └── [ 880]  1Password_rCURRENT.log
    ├── [4.0K]  KeyringHelper
    │   └── [ 130]  1Password_rCURRENT.log
    └── [ 101]  1Password_rCURRENT.log
    
    logs $ cat 1Password_rCURRENT.log 
    INFO  2022-02-22T13:38:00.466 ThreadId(6) [client:typescript] 1Password is already running, closing.
    
    logs $ cat KeyringHelper/1Password_rCURRENT.log 
    INFO  2022-02-22T13:38:00.754 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    
    logs $ cat BrowserSupport/1Password_rCURRENT.log 
    INFO  2022-02-22T13:39:58.503 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/main.rs:148] Starting 1Password-BrowserSupport 8.6.0-6.BETA production build no. 80600006.
    INFO  2022-02-22T13:39:58.503 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/browser_verification/linux.rs:31] Verifying browser "/usr/lib/firefox/firefox"
    INFO  2022-02-22T13:39:58.506 main(ThreadId(1)) [1P:native-messaging/op-browser-support/src/browser_verification/linux.rs:45] Browser "/usr/lib/firefox/firefox" verified successfully
    INFO  2022-02-22T13:39:58.506 main(ThreadId(1)) [1P:native-messaging/op-browser-support-lib/src/communication_logic.rs:119] Starting SLS communication (attempting connection to desktop app)
    INFO  2022-02-22T13:39:58.510 main(ThreadId(1)) [1P:native-messaging/op-browser-support-lib/src/communication_logic.rs:184] Connected to the desktop app
    
  • mattikus
    mattikus
    Community Member
    edited February 2022

    Having run into this myself, it's potentially because you do not have a polkit authentication agent installed or running. See https://wiki.archlinux.org/title/Polkit#Authentication_agents for more details.

    I ended up picking polkit-gnome and just make sure that I start /usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1 in the background before attempting to use the SSH Agent.

    See if starting one of those authentication agents helps your situation.

  • lupolucio
    lupolucio
    Community Member

    Thanks for the answer, but I'm actually running that exact polkit agent.

  • mattikus
    mattikus
    Community Member
    edited February 2022

    Do you also have the "Unlock using system authentication service" setting under Settings > Security in the 1Password app enabled?

    I found that I needed that checked, and that the polkit authorization agent installed before it started to work. Otherwise I noted the same behavior that you did.

  • lupolucio
    lupolucio
    Community Member

    "Unlock using system authentication service" was (and is) enabled.
    The polkit agent is launched at login, immediately before running 1password --silent.

  • mattikus
    mattikus
    Community Member

    Sounds like we're configured identically, then! Other than I'm using Sway, rather than River.

    Hopefully someone from the 1Password team can help with further debugging steps, since I also noticed that the logs do not seem to provide much help in this scenario.

  • lupolucio
    lupolucio
    Community Member

    After the update to 8.6.0_43.BETA-43 I got the following output, even after disabling the agent, deleting the socket file, rebooting and enabling everything again.

    $ ssh -T git@github.com -vvv
    ...
    debug2: get_agent_identities: ssh_agent_bind_hostkey: communication with agent failed
    debug1: get_agent_identities: ssh_fetch_identitylist: communication with agent failed
    ...
    git@github.com: Permission denied (publickey).
    
  • HotPizzaPocket
    HotPizzaPocket
    Community Member

    I started seeing this issue around the same time as the beta 8.6.0_43.BETA-43, some time in the middle of the week. Unfortunately reverting to the previous 1P beta #26 did not fix the issue. I still got the following log messages as also reported above.

    ~ ᐅ ssh -T git@github.com -vvv
    ...
    debug2: get_agent_identities: ssh_agent_bind_hostkey: communication with agent failed
    debug1: get_agent_identities: ssh_fetch_identitylist: communication with agent failed
    ...
    git@github.com: Permission denied (publickey).
    

    Since reverting the 1Password update didn't restore the old working state, my troubleshooting lead me to realize that the Arch openssh package was updated from v8.8p1 to v8.9p1 around the same time. Reverting to the version in the Arch repo archives dated 2022/02/22 restored the old working behavior. I haven't taken the time to track down exactly why this downgrade fixes this issue since the workaround of downgrading the package is working for me for the time being.

  • For those using OpenSSH 8.9: we've made some improvements to the SSH agent which should also fix this issue. It'll be available in the next beta update, but if you want to try it now already, you can switch to the Nightly release channel from the 1Password 8 preferences: .

  • tred27
    tred27
    Community Member

    @floris_1P is this the same as building from git? I'm supposedly on the latest version (80600043, on BETA channel) and this is still not fixed, I can't see the release channel in Arch though.

  • lupolucio
    lupolucio
    Community Member
    edited March 2022

    After the update to 8.6.0_51.BETA-51 the behaviour is back to the one of the first post.
    The only difference is that now the username@hostname is correctly shown in the error:

    $ ssh -T git@github.com
    sign_and_send_pubkey: signing failed for ED25519 "lupolucio@spettro" from agent: agent refused operation
    git@github.com: Permission denied (publickey).
    

    After seeing another post I've tried the following:

    $ ssh-add -l
    Could not open a connection to your authentication agent.
    
  • lupolucio
    lupolucio
    Community Member

    With the 8.6.0_68.BETA-68 update it now works correctly.
    Thank you very much for the support.

  • rifat
    rifat
    Community Member

    It worked for me after removing github entry from ~/.ssh/known_hosts

  • mjec
    mjec
    Community Member

    It looks like this issue is back with 1Password 8.7.0-49.BETA and OpenSSH_9.0p1, OpenSSL 1.1.1n 15 Mar 2022. Explicitly specifying an identity (ssh -i) works around it for me.

  • @mjec So you're seeing agent refused operation on every SSH request? If so, do you see anything in the 1Password logs appear when you run a failing SSH command? On Linux: $HOME/.config/1Password/logs.

    Or could it be that you're seeing Too many authentication failures?

  • mjec
    mjec
    Community Member

    Thanks for the speedy response @floris_1P! I was seeing agent refused operation but that appears to have gone away today. Apologies for the false alarm. I think something was wrong with my polkit setup.

This discussion has been closed.