MacOS - how to verify/debug 1Password agent is the one being used?

dwfrank
dwfrank
Community Member
edited May 2022 in SSH

I've followed the docs. Public key is at GitHub. 1Password entry is correct.

But when I ssh -Tvvv git@github.com I'm still getting "publickey denied".

  • Is there something I should see in the debug logs I should see that says 1Password?
  • And if not, is there a troubleshooting guide yet?

1Password Version: 8.6.0 80600026
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • dwfrank
    dwfrank
    Community Member

    Worth noting, I've copied the private key that 1P8 generated into ~/.ssh/id_ed25519 to diagnose, and I'm getting the error message: Load key "/Users/$USERNAME/.ssh/id_ed25519": invalid format

  • Lachy
    Lachy
    Community Member
    edited February 2022

    Load key "/Users/$USERNAME/.ssh/id_ed25519": invalid format

    When you saved that file, did you copy and paste from the Private Key field in 1Password, or did you click the menu and choose download? If you did the former, that would explain it. Clicking on the field to copy to clipboard puts the raw key value into the clipboard. You can tell by looking at the first line of the file:

    This is what you get when you copy and paste from the private key field directly:

    -----BEGIN PRIVATE KEY-----

    This raw format isn't particularly useful for anything I'm aware of. I'm not sure why 1Password gives it to you.

    This is what you get when you choose the download option, and is what you need to use for ssh to understand it:

    -----BEGIN OPENSSH PRIVATE KEY-----

    For your main issue, how did you configure SSH to use 1Password's ssh-agent? Did you set the SSH_AUTH_SOCK environment variable, or did you use the IdentityAgent directive in ~/.ssh/config?

    If you did set the SSH_AUTH_SOCK variable, then just run:

    $ ssh-add -l

    Otherwise, run:

    $ SSH_AUTH_SOCK="$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ssh-add -l

    Edit: The above assumes you're running macOS. If you're running Linux, check 1Password's documentation for the equivalent command on that system.

    This should list the fingerprints for all all available keys stored in 1Password.

    In the verbose logs for ssh, you should see some lines like debug1: Will attempt key: ... telling you which keys are being offered. Ensure that one of these corresponds with the public key you have added to github.

    Further down, you will see something like the following. There may be some slight differences if you're using RSA instead of Ed25519.

    debug1: Offering public key: name_of_your_key ED25519 SHA256:xxxfingerprintxxx... explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: name_of_your_key ED25519 SHA256:xxxfingerprintxxx explicit agent
debug3: sign_and_send_pubkey: ED25519 SHA256:xxxfingerprintxxx
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:xxxfingerprintxxx

    If you have multiple keys, you might see it offering keys that are then rejected. If all of your keys are rejected, make sure at least one of them corresponds with what you set up in GitHub.

    If you have too many keys, and none of the keys being offered are what you set up with GitHub, then put your public key file in ~/.ssh/id_ed25519.pub use the IdentifyFile directive in ~/.ssh/config to specify that directly.

    Host github.com
    User git
    IdentityFile ~/.ssh/id_ed25519.pub
  • XIII
    XIII
    Community Member

    Did you open the 1Password GUI before trying?

    I forget that a lot and I get this error then:

    sign_and_send_pubkey: signing failed: agent refused operation
This discussion has been closed.