agent refused operation error on macOS

gmcluhan

Hi there,

Just installed 1Password8 beta and setup an SSH key for internal company GitHub and I keep getting this error:

graham@Grahams-MBP dmautomationlib % git pull
sign_and_send_pubkey: signing failed for ED25519 "My SSH Key" from agent: agent refused operation
git@github.mycompany.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Here's the error I see in the 1Password_rCURRENT.log

WARN  2022-03-22T11:43:47.081 tokio-runtime-worker(ThreadId(1)) [1P:foundation/op-sys-info/src/process_information/macos/non_app_store.rs:195] failed to get parent process of 1
WARN  2022-03-22T11:43:47.081 tokio-runtime-worker(ThreadId(1)) [1P:foundation/op-sys-info/src/process_information/macos/non_app_store.rs:81] failed to find toplevel parent
WARN  2022-03-22T11:43:47.081 tokio-runtime-worker(ThreadId(1)) [1P:ssh/op-ssh-agent/src/lib.rs:330] Unable to get client_info for pid: 2224

---

1Password Version: 80700012
Extension Version: 2.3.1
OS Version: macOS 12.3

gmcluhan

One other interesting thing is that when I run ssh-add -l I get no keys back, but if I first run export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock then I get the keys back but it still fails.

floris_1P

That's odd, what terminal are you using? Could you see what the 1Password logs say if you try another (GUI) client or terminal?

And about ssh-add, that's expected because ssh-add ignores IdentityAgent.

gmcluhan

I'm just using the stock Terminal app in macOS. When I tried SourceTree the other day it didn't work but today it did.

WARN  2022-03-24T10:50:21.224 tokio-runtime-worker(ThreadId(6)) [1P:foundation/op-sys-info/src/process_information/macos/non_app_store.rs:195] failed to get parent process of 1
WARN  2022-03-24T10:50:21.224 tokio-runtime-worker(ThreadId(6)) [1P:foundation/op-sys-info/src/process_information/macos/non_app_store.rs:81] failed to find toplevel parent
WARN  2022-03-24T10:50:21.224 tokio-runtime-worker(ThreadId(6)) [1P:ssh/op-ssh-agent/src/lib.rs:330] Unable to get client_info for pid: 82526
WARN  2022-03-24T10:50:22.050 tokio-runtime-worker(ThreadId(6)) [1P:foundation/op-sys-info/src/process_information/macos/non_app_store.rs:195] failed to get parent process of 1
WARN  2022-03-24T10:50:22.051 tokio-runtime-worker(ThreadId(6)) [1P:foundation/op-sys-info/src/process_information/macos/non_app_store.rs:81] failed to find toplevel parent
WARN  2022-03-24T10:50:22.051 tokio-runtime-worker(ThreadId(6)) [1P:ssh/op-ssh-agent/src/lib.rs:330] Unable to get client_info for pid: 82532

asdfasdfasdfasdf

I'm getting something very similar on Debian 11:

$ export SSH_AUTH_SOCK=~/.1password/agent.sock           
$ ssh me@somehost                      
sign_and_send_pubkey: signing failed for ED25519 "/home/usr/.ssh/id_mykey" from agent: agent refused operation
$ tail -n 2 ~/.config/1Password/logs/1Password_r00000.log
WARN  2022-04-28T23:15:04.336 tokio-runtime-worker(ThreadId(1)) [1P:foundation/op-sys-info/src/process_information/linux.rs:394] no top-level parent was found for pid 4376
INFO  2022-04-28T23:15:04.338 tokio-runtime-worker(ThreadId(1)) [1P:ssh/op-ssh-agent/src/lib.rs:370] Session was not authorized

tybritten

Seeing the same trying to connect to circleci. I've even exported the public key and used IdentityFile for it

floris_1P

@gmcluhan @asdfasdfasdfasdf @tybritten Could you see if it's still happening now on a recent beta or nightly? And if it does, it would be very helpful if you could submit an SSH diagnostics report.

tybritten

Ok just uploaded a diagnostic report after using last night's nightly

floris_1P

@tybritten Thanks! Also: do you see anything appear in the 1Password logs when you invoke the SSH command to CircleCI? On macOS: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

tybritten

ERROR 2022-05-11T09:13:59.011 tokio-runtime-worker(ThreadId(5)) [1P:/Users/builder/builds/BhfSvM9x/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:396] Error handling sign request: Key(signing with ssh-rsa is unsupported; SHA-1 may be insecure) ERROR 2022-05-11T09:14:00.613 tokio-runtime-worker(ThreadId(4)) [1P:/Users/builder/builds/BhfSvM9x/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:396] Error handling sign request: Key(signing with ssh-rsa is unsupported; SHA-1 may be insecure)

floris_1P

@tybritten Aha, that's a (different) known issue. See this thread for more info.

asdfasdfasdfasdf

Switched to nightly/edge by installing https://downloads.1password.com/linux/debian/amd64/edge/1password-latest.deb (80800103). Still getting an error:

ssh me@ahost.somedomain
sign_and_send_pubkey: signing failed for ED25519 "/home/me/.ssh/id_thekey" from agent: agent refused operation

But with slightly different logs:

$ tail -n 4 ~/.config/1Password/logs/1Password_r00000.log
INFO  2022-05-20T22:29:10.434 tokio-runtime-worker(ThreadId(5)) [1P:ssh/op-agent-controller/src/desktop.rs:285] SSH Agent has started.
WARN  2022-05-20T22:29:11.530 op_executor:invocation_loop(ThreadId(13)) [1P:foundation/op-linux/src/kernel_keyring.rs:817] failed to initialize keyring helper, its functionality will be unavailable: KeyringError(Os { code: 38, kind: Unsupported, message: "Function not implemented" })
WARN  2022-05-20T22:29:11.534 1Password Application Keyring Manager(ThreadId(14)) [1P:foundation/op-linux/src/kernel_keyring.rs:89] 1Password's application keyring failed to initialize (KeyringError(Os { code: 38, kind: Unsupported, message: "Function not implemented" })), its functionality will be unavailable
WARN  2022-05-20T22:29:15.416 ThreadId(7) [1P:op-app/src/app.rs:275] Application binary and/or it's directory was moved or replaced, exiting.

I submitted an ssh-diagnostics zip. I mentioned there but I will here as well, this is in Debian 11 in a Crostini VM on ChromeOS 101.0.4951.59.