Compatibility with OpenSSH 8.9

matyasrichter

Updating OpenSSH from 8.8 to 8.9 seems to break the 1password agent. It's possible that it's configuration issue on my end, but I was wondering if there's an official recommended solution.

My ssh config looks like this:

Host gitlab.com
    HostName gitlab.com
    IdentityFile ~/.ssh/personal.pub
    IdentitiesOnly yes

Here's the output of ssh -Tv git@gitlab.com with OpenSSH 8.8:

OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
debug1: Reading configuration data /home/matyas/.ssh/config
debug1: /home/matyas/.ssh/config line 1: Applying options for *
debug1: /home/matyas/.ssh/config line 73: Applying options for gitlab.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to gitlab.com [172.65.251.78] port 22.
debug1: Connection established.
debug1: identity file /home/matyas/.ssh/personal.pub type 3
debug1: identity file /home/matyas/.ssh/personal.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5
debug1: compat_banner: match: OpenSSH_8.4p1 Debian-5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to gitlab.com:22 as 'git'
debug1: load_hostkeys: fopen /home/matyas/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
debug1: load_hostkeys: fopen /home/matyas/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'gitlab.com' is known and matches the ECDSA host key.
debug1: Found key in /home/matyas/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/matyas/.ssh/personal.pub ED25519 SHA256:<---> explicit agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/matyas/.ssh/personal.pub ED25519 SHA256:<---> explicit agent
debug1: Server accepts key: /home/matyas/.ssh/personal.pub ED25519 SHA256:<---> explicit agent
Authenticated to gitlab.com ([172.65.251.78]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /home/matyas/.ssh/known_hosts for gitlab.com / (none)
debug1: client_input_hostkeys: searching /home/matyas/.ssh/known_hosts2 for gitlab.com / (none)
debug1: client_input_hostkeys: hostkeys file /home/matyas/.ssh/known_hosts2 does not exist
debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update
debug1: Remote: /authorized_keys %u %k:1: key options: command user-rc
debug1: Remote: /authorized_keys %u %k:1: key options: command user-rc
Welcome to GitLab, @matyasrichter!
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2116, received 2648 bytes, in 0.3 seconds
Bytes per second: sent 8239.8, received 10311.5
debug1: Exit status 0

Here's the output with OpenSSH 8.9:

OpenSSH_8.9p1, OpenSSL 1.1.1m  14 Dec 2021
debug1: Reading configuration data /home/matyas/.ssh/config
debug1: /home/matyas/.ssh/config line 1: Applying options for *
debug1: /home/matyas/.ssh/config line 73: Applying options for gitlab.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to gitlab.com [172.65.251.78] port 22.
debug1: Connection established.
debug1: identity file /home/matyas/.ssh/personal.pub type 3
debug1: identity file /home/matyas/.ssh/personal.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5
debug1: compat_banner: match: OpenSSH_8.4p1 Debian-5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to gitlab.com:22 as 'git'
debug1: load_hostkeys: fopen /home/matyas/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
debug1: load_hostkeys: fopen /home/matyas/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'gitlab.com' is known and matches the ECDSA host key.
debug1: Found key in /home/matyas/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: ssh_fetch_identitylist: communication with agent failed
debug1: Will attempt key: /home/matyas/.ssh/personal.pub ED25519 SHA256:<---> explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/matyas/.ssh/personal.pub ED25519 SHA256:<---> explicit
debug1: Server accepts key: /home/matyas/.ssh/personal.pub ED25519 SHA256:<---> explicit
Load key "/home/matyas/.ssh/personal.pub": invalid format
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
git@gitlab.com: Permission denied (publickey,keyboard-interactive).

---

1Password Version: 8.6.0-43.BETA
Extension Version: 2.2.3
OS Version: Linux 5.16.11-2-MANJARO

floris_1P

We've made some improvements to the SSH agent which should also fix this issue. It'll be available in the next beta update, but if you want to try it now already, you can switch to the Nightly release channel from the 1Password 8 preferences: .