Git and Azure DevOPS: agent refused operation

[Deleted User] · March 2022

I struggle getting my GIT repositories in Azure working with 1Password keeping my SSH keys. Beside that Azure does not support Ed25519 keys (sigh), so I had to create a RSA key for it, authentication with it fails as soon as I activate the two lines for "Host *" and "IdentityAgent" pointing to the 1Password socket:
--- 8< ---
sign_and_send_pubkey: signing failed for RSA "/Users/myuser/.ssh/id_rsa_azure.pub" from agent: agent refused operation
--- 8< ---
(it also fails without setting IdentityFile and IdentitiesOnly btw.)

Exporting the key and using old fashioned file based key authentication works though.

Working with other GIT servers works, so I think this is a "Azure-Thing".

1Password Version: 8.7.0 (80700012)
Extension Version: Not Provided
OS Version: 12.2.1 (21D62)

floris_1P · March 2022

Yes, this is because Azure DevOps only supports legacy ssh-rsa SHA-1 signatures. We're working on adding support for those as well.

billwu · May 2022

Hi,

I think i've created a ssh-rsa key for azure devops now, however i'm getting the same error. Is this issue fixed yet?

[Deleted User] · May 2022

AFAIK there is no support for Azure DevOPS (or the other way around: Azure DevOPS doesn't support the better algorithms) yet. My workaround: I added the following to my .ssh/config file:

Host ssh.dev.azure.com
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
IdentityAgent /private/tmp/com.apple.launchd.znyst9AFDG/Listeners

zigford · August 2022

Anyone know what the workaround would be on Linux?
I have the identity file in ~/.ssh, but it seems no matter what I do, the 1password SSH agent is taking over.

SSH_AUTH_SOCK="" git fetch
sign_and_send_pubkey: signing failed for RSA "/home/user/.ssh/id_rsa" from agent: agent refused operation

zigford · August 2022

I figured out I can just define this ssh config above the Host * IdentityAgent in ~/.ssh/config to workaround

MartonS1P · August 2022

Glad you found a solution, @zigford. And thanks for sharing it!

zigford · August 2022

Update. Don't know why, but my workaround stopped working.
New workaround that is working currently:

Define the following above the IdentityAgent definition, so the ~/.ssh/config should look like this:

Host ssh.dev.azure.com
    HostName ssh.dev.azure.com
    User git
    IdentityFile ~/.ssh/id_rsa
    PubkeyAcceptedAlgorithms +ssh-rsa
    HostkeyAlgorithms +ssh-rsa
    IdentitiesOnly yes
    IdentityAgent /dev/null
Host *
    IdentityAgent ~/.1password/agent.sock
    AddKeysToAgent yes

MartonS1P · August 2022

Hi @zigford!

As of the latest nightly release, 1Password supports ssh-rsa (SHA-1). So if you update to the latest nightly you can also store your Azure DevOPS SSH key in 1Password.

XIII · August 2022

Excellent news. Thank you!

zigford · August 2022

Thanks @MartonS1P, can you point me in the direction of the nightly releases? I've googled around and cannot find it. I'm on Linux.

MartonS1P · August 2022

Hi @zigford,

You can follow the instructions outlined here: https://support.1password.com/install-linux/#debian-or-ubuntu and replace "stable" with "edge" when adding the 1Password apt repository.

Let me know if you have other questions or run into any other issues!

zigford · August 2022

Nice. I have installed the latest beta which has this feature.
It is working, but I had to download the public key and set it up like this:

Host *
    IdentityAgent ~/.1password/agent.sock
    AddKeysToAgent yes
Host ssh.dev.azure.com
    HostName ssh.dev.azure.com
    User git
    PubkeyAcceptedAlgorithms ssh-rsa
    HostkeyAlgorithms ssh-rsa
    IdentityFile ~/.ssh/harrisj@19wbpf2-gentoo.pub
    IdentitiesOnly yes

Git and Azure DevOPS: agent refused operation

Comments