"signing failed: agent refused operation" error occurs

Options
masaahide
masaahide
Community Member
edited March 2022 in SSH

When connecting to sshd on CentOS6 from MacOS using ssh-agent with 1password, the connection fails with the error "sign_and_send_pubkey: signing failed: agent refused operation".

I have summarized the code and how to reproduce it in Docker at https://github.com/masahide/1pass-agent-refused

1Password Version: 80700031, on NIGHTLY channel
Extension Version: Not Provided
OS Version: MacOS11.6.1

Comments

  • floris_1P
    floris_1P
    Options

    Do you see anything appear in the logs when you invoke the SSH command? On macOS: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

  • masaahide
    masaahide
    Community Member
    Options

    The following error was output

    ERROR 2022-04-01T09:02:08.087 tokio-runtime-worker(ThreadId(4)) [1P:/Users/builder/builds/BhfSvM9x/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:377] Error handling sign request: Key(signing with ssh-rsa is unsupported; SHA-1 may be insecure)
  • masaahide
    masaahide
    Community Member
    Options

    https://1password.community/discussion/comment/632712/#Comment_632712
    This seems to be the problem.

    However, the
    It is hard not to be able to log in to an old server that uses ssh-rsa, so I would like to have the ability to allow the use of ssh-rsa at your peril through options or other means.

  • floris_1P
    floris_1P
    Options

    Yes, I understand. For that exact reason we're working on adding ssh-rsa support to the agent.

  • Techrocket9
    Techrocket9
    Community Member
    Options

    Similar to @masaahide, this is blocking my ability to use the 1Password SSH Agent in my real workflow.

  • Daveeeee
    Daveeeee
    Community Member
    edited April 2022
    Options

    I have my whole development environment on a Windows 11 VM. I have linked this to a Microsoft account and use Windows Hello.

    As soon as I use the functionality via RDP on the machine, I get the following error message:
    sign_and_send_pubkey: signing failed: agent refused operation

    With ssh-add -l I see the keys which are stored in 1Password. If I connect to the machine via Proxmox console with VNC and then connect to a machine via SSH, the connection works. I think Windows blocks the Windows 11 Hello Promt with an active RDP session.

    Ideas?

  • floris_1P
    floris_1P
    Options

    @Daveeeee Do you see anything appear in the 1Password logs when you run the failing SSH command? On Windows: %LOCALAPPDATA%/1Password/logs

  • Daveeeee
    Daveeeee
    Community Member
    Options

    @floris_1P

    Log:
    INFO 2022-04-12T09:26:06.207 tokio-runtime-worker(ThreadId(4)) [status:op-app\src\app\backend\updater.rs:204] No Beta updates found for 80700041
    WARN 2022-04-12T18:02:40.665 op_executor:invocation_loop(ThreadId(8)) [1P:op-app\src\app\backend\lock_screen.rs:65] Biometry is unavailable: BiometryUnavailable
    INFO 2022-04-12T18:02:43.741 tokio-runtime-worker(ThreadId(1)) [1P:op-data-layer\src\load.rs:143] loaded 292 items in 5 vaults for account: LV3D2TG5KZBDTFRQDSPZGC2GFU
    INFO 2022-04-12T18:02:43.745 op_executor:invocation_loop(ThreadId(8)) [1P:op-app\src\app\backend\unlock.rs:86] Lock state changed: Unlocked
    INFO 2022-04-12T18:02:43.781 op_executor:invocation_loop(ThreadId(8)) [1P:op-app\src\app\backend\frontend.rs:24] Front end event: window closed
    INFO 2022-04-12T18:02:44.579 tokio-runtime-worker(ThreadId(2)) [1P:op-b5-client\src\internal\unauthorized_session.rs:753] Verifying MFA with server...
    INFO 2022-04-12T18:02:44.714 tokio-runtime-worker(ThreadId(2)) [1P:op-b5-client\src\internal\unauthorized_session.rs:423] Server verification successful
    WARN 2022-04-12T18:02:44.714 tokio-runtime-worker(ThreadId(2)) [1P:op-b5-client\src\internal\unauthorized_session.rs:439] Server did not give us a dsecret
    INFO 2022-04-12T18:02:44.993 tokio-runtime-worker(ThreadId(4)) [1P:op-syncer\src\sync_job.rs:276] synced account LV3D2TG5KZBDTFRQDSPZGC2GFU (0.2794428s)
    INFO 2022-04-12T18:02:44.994 tokio-runtime-worker(ThreadId(4)) [1P:op-data-layer\src\file.rs:608] find_and_complete_pending_uploads: 'LV3D2TG5KZBDTFRQDSPZGC2GFU'
    INFO 2022-04-12T18:02:45.112 tokio-runtime-worker(ThreadId(2)) [1P:op-data-layer\src\sync.rs:513] The B5 Notifier for (LV3D2TG5KZBDTFRQDSPZGC2GFU) has connected, now monitoring for events.
    INFO 2022-04-12T18:05:27.764 tokio-runtime-worker(ThreadId(2)) [1P:ssh\op-ssh-agent\src\lib.rs:388] Session was not authorized
    INFO 2022-04-12T18:05:27.801 tokio-runtime-worker(ThreadId(1)) [1P:ssh\op-ssh-agent\src\lib.rs:388] Session was not authorized
    INFO 2022-04-12T18:07:50.771 tokio-runtime-worker(ThreadId(2)) [1P:ssh\op-ssh-agent\src\lib.rs:388] Session was not authorized

  • floris_1P
    floris_1P
    Options

    @Daveeeee Unfortunately, using the agent over RDP is not supported at the moment, but it is something we're looking into.

  • floris_1P
    floris_1P
    Options

    @masaahide @Techrocket9 Happy to announce that the latest 1Password beta now supports ssh-rsa connections!

  • masaahide
    masaahide
    Community Member
    Options

    Thanks for getting back to me.

This discussion has been closed.