No fingerprint prompt when SSHing

sososo
sososo
Community Member
edited July 2022 in SSH

Hi,
I've gone over the doc multiple times but can't seem to get it to work. I settled on a per key activation to avoid impacting my work. When I look in the logs I can see

INFO 2022-07-07T09:32:05.815 tokio-runtime-worker(ThreadId(12)) [1P:ssh/op-agent-controller/src/desktop.rs:332] SSH Agent has started.

but nothing shows in the logs when I ssh. I get no finger print prompt and thus

$ ssh linode jdoe@123.123.123.123: Permission denied (publickey,keyboard-interactive).

This is what I have in my .ssh/config

Host linode
User jdoe
Hostname 123.123.123.123
IdentitiesOnly yes
IdentityAgent "~/ecosta/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

If I do the following, I can see the ssh keys list stored in 1P

export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
ssh-add -l`

If I run an ssh to linode with or without exporting the SSH_AUTH_SOCK, I still get the same result. No prompt.

I just noted that if I save a change in .ssh/config I get the following log message
INFO 2022-07-07T10:21:38.998 notify-rs fsevents loop(ThreadId(23)) [1P:ssh/op-ssh-config/src/lib.rs:231] agent not configured

I tried importing a key or generating one but nothing seems to do it. Why am I not getting a prompt? Could you help me solve the problem?

Thanks.

1Password Version: 8.7.3
Extension Version: Not Provided
OS Version: macOS 12.4
Browser:_ Not Provided

Comments

  • floris_1P
    floris_1P

    Could you try changing the socket path in your ~/.ssh/config to:

    IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
  • sososo
    sososo
    Community Member
    edited July 2022

    Hi @floris_1P ,
    thanks for helping out. I fixed my typo (thanks for that) and did all the steps again in the following order

    1. Enable 1P SSH agent
    2. Log into Linode and generated an SSH Key
    3. tried to login via ssh without success. Same problem, no prompt.

    My Linode ssh config:

    Host linode
  User jdoe
  Hostname 123.123.123.123
  IdentitiesOnly yes
  IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

    I did not export SSH_AUTH_SOCK as I guess I don't needed if I use the agent.sock in the ssh config.

    I do however have the following settings which might affect things, what do you think? Disabling bellow doesn't seem to improve anything.

    Host *
  UseKeychain yes
  AddKeysToAgent yes
  TCPKeepAlive yes
  ServerAliveInterval 59
  ServerAliveCountMax 3

    I also do the following check which all seems ok

    $ ssh-add -l
256 SHA256:PfY15ZT3nH123123EcR7UdPSrJ+rtufgqf5CMDYKXYw aws (ED25519)
$ SSH_AUTH_SOCK=~/.1password/agent.sock ssh-add -l
256 SHA256:hE2UmRsuU123123xDFNeshruftNhRCiHblPEOXhL4c Linode (ED25519)

    What am I missing?

  • floris_1P
    floris_1P

    Could you share your ssh -v output? And with the typo now fixed, do you see anything appear in the 1Password logs when you run the failing SSH command?

  • sososo
    sososo
    Community Member
    edited July 2022

    Hi @floris_1P ,

    Nothing showing up in the logs. This is my output:

    $ ssh -v linode
OpenSSH_8.6p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/jdoe/.ssh/config
debug1: /Users/jdoe/.ssh/config line 1: Applying options for *
debug1: /Users/jdoe/.ssh/config line 12: Applying options for linode
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 123.123.123.123 [123.123.123.123] port 22.
debug1: Connection established.
debug1: identity file /Users/jdoe/.ssh/id_rsa type -1
debug1: identity file /Users/jdoe/.ssh/id_rsa-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_dsa type -1
debug1: identity file /Users/jdoe/.ssh/id_dsa-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_ecdsa type -1
debug1: identity file /Users/jdoe/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/jdoe/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_ed25519 type -1
debug1: identity file /Users/jdoe/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/jdoe/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_xmss type -1
debug1: identity file /Users/jdoe/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 123.123.123.123:22 as 'jdoe'
debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:0WN3ivkenyByHO3n9/LAMTDMBF7ShbxxBbtk3CJCrY0
debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: checking without port identifier
debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '123.123.123.123' is known and matches the ED25519 host key.
debug1: Found key in /Users/jdoe/.ssh/known_hosts:445
debug1: found matching key w/out port
debug1: check_host_key: hostkey not known or explicitly trusted: disabling UpdateHostkeys
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/jdoe/.ssh/id_rsa
debug1: Will attempt key: /Users/jdoe/.ssh/id_dsa
debug1: Will attempt key: /Users/jdoe/.ssh/id_ecdsa
debug1: Will attempt key: /Users/jdoe/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/jdoe/.ssh/id_ed25519
debug1: Will attempt key: /Users/jdoe/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/jdoe/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/jdoe/.ssh/id_rsa
debug1: Trying private key: /Users/jdoe/.ssh/id_dsa
debug1: Trying private key: /Users/jdoe/.ssh/id_ecdsa
debug1: Trying private key: /Users/jdoe/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/jdoe/.ssh/id_ed25519
debug1: Trying private key: /Users/jdoe/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/jdoe/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
jdoe@123.123.123.123: Permission denied (publickey,keyboard-interactive).
  • floris_1P
    floris_1P

    Ah I see, you've set IdentitiesOnly yes for linode, try removing that line.

  • sososo
    sososo
    Community Member

    Hi @floris_1P,
    I commented out IdentitiesOnly and ran the command again. Still no 1Password entries in 1Password.

    $ ssh linode -v
OpenSSH_8.6p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/jdoe/.ssh/config
debug1: /Users/jdoe/.ssh/config line 1: Applying options for *
debug1: /Users/jdoe/.ssh/config line 12: Applying options for linode
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 123.123.123.123 [123.123.123.123] port 22.
debug1: Connection established.
debug1: identity file /Users/jdoe/.ssh/id_rsa type -1
debug1: identity file /Users/jdoe/.ssh/id_rsa-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_dsa type -1
debug1: identity file /Users/jdoe/.ssh/id_dsa-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_ecdsa type -1
debug1: identity file /Users/jdoe/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/jdoe/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_ed25519 type -1
debug1: identity file /Users/jdoe/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/jdoe/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/jdoe/.ssh/id_xmss type -1
debug1: identity file /Users/jdoe/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 123.123.123.123:22 as 'jdoe'
debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:0WN3ivkenyByHO3n9/LAMTDMBF7ShbxxBbtk3CJCrY0
debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: checking without port identifier
debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '123.123.123.123' is known and matches the ED25519 host key.
debug1: Found key in /Users/jdoe/.ssh/known_hosts:445
debug1: found matching key w/out port
debug1: check_host_key: hostkey not known or explicitly trusted: disabling UpdateHostkeys
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: Linode ED25519 SHA256:hE2UmRsuU5E12345DFNenxC4zILNhRCiHblPEOXhL4c agent
debug1: Will attempt key: /Users/jdoe/.ssh/id_rsa
debug1: Will attempt key: /Users/jdoe/.ssh/id_dsa
debug1: Will attempt key: /Users/jdoe/.ssh/id_ecdsa
debug1: Will attempt key: /Users/jdoe/.ssh/id_ecdsa_sk
debug1: Will attempt key: /Users/jdoe/.ssh/id_ed25519
debug1: Will attempt key: /Users/jdoe/.ssh/id_ed25519_sk
debug1: Will attempt key: /Users/jdoe/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: Linode ED25519 SHA256:hE2UmRsuU5E12345DFNenxC4zILNhRCiHblPEOXhL4c agent
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/jdoe/.ssh/id_rsa
debug1: Trying private key: /Users/jdoe/.ssh/id_dsa
debug1: Trying private key: /Users/jdoe/.ssh/id_ecdsa
debug1: Trying private key: /Users/jdoe/.ssh/id_ecdsa_sk
debug1: Trying private key: /Users/jdoe/.ssh/id_ed25519
debug1: Trying private key: /Users/jdoe/.ssh/id_ed25519_sk
debug1: Trying private key: /Users/jdoe/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
jdoe@123.123.123.123: Permission denied (publickey,keyboard-interactive).

    This seems better. I checked the fingerprint in 1Password and it is the correct key but still no prompt.

    debug1: Will attempt key: Linode ED25519 SHA256:hE2UmRsuU5E12345DFNenxC4zILNhRCiHblPEOXhL4c agent

    On the subject of IdentitiesOnly, I had to add it because I have so many keys in .ssh. If I put all my keys (20 or so keys) in 1Password, will I not run into the same problem (Too many authentication failures) and If I can't use IdentitiesOnly, should I even try? Love what you are doing for SSH though.

    I worked a bit more on it and added my NAS and RPI. I got them both working! I thought it might have something to do with the port on which SSH is listening but 1P also works when connecting to SSH on a port which is not 22. This is all very odd. I will continue trying to figure it out but the verdict for now is that it works on some ssh connections and not others.

  • floris_1P
    floris_1P
    edited July 2022

    Great to hear you got it working with your NAS and Pi! For the Linode server: looking at the logs, the public key now does get properly offered to the server, but it seems like the server doesn't accept it. DigitalOcean has some nice tips on troubleshooting SSH in their docs, which might help you out.

    About IdentitiesOnly and the Too many authentication failures error, we have an article in our docs portal about that.

  • sososo
    sososo
    Community Member

    Hi @floris_1P, sorry for the late reply and thanks for the documentation. I'll implement the recommendations and read up on the DO doc. I'll get there, it's just a matter of finding the time to troubleshoot.

    Thanks for your help!

  • sososo
    sososo
    Community Member

    @floris_1P , I found the problem and it was embarrassingly stupid of me. I simply forgot to add the pub key to the server. I was sure I'd added it but it seems I only had the original one there.

    It all works great and I'm loving it. What a great feature!

    Thanks for all your help.

This discussion has been closed.