Has anyone looked into supporting the SSH Agent with the Chromebook Linux environment?

deinspanjer
deinspanjer
Community Member

I make use of my Chromebook as a lightweight development machine rather than lugging my MacBook Pro around when most of what I need to do is SSH into servers and edit stuff.

I've recently been able to set up and use the 1Password SSH Key Agent with OSX and have been very happy with it. I was hoping I might be able to do the same thing with the Linux environment in my Chromebook.

First thing I did was follow the instructions to install 1Password 8 for Linux, and that seems to work great.
Next, I enabled the agent in 1Password and added the socket to my .ssh/config file. 1Password recognizes it as being set up when I look at the settings.

However, when I try to ssh into a machine, I get an error: sign_and_send_pubkey: signing failed for ED25519 "id_ed25519" from agent: agent refused operation

If I run ssh with -vv, I can confirm the fact that the agent sees the request and enumerates the keys, negotiating the proper key with the server, but this error shows up right after that negotiation.

It seems like it is really close to working, and might just need a dev with a Chromebook to poke around a bit to see what is happening.

I tried to use the view logs option in the Linux app, but that didn't work. I opened the log file directly and found the error lines related to the SSH agent as well as the error that happened when I tried to open the log files in the app. Both errors are included below.

agent related log lines:

INFO  2022-08-06T17:53:09.466 tokio-runtime-worker(ThreadId(8)) [1P:foundation/op-sys-info/src/process_information/linux.rs:367] no GUI info available to determine top level parent
WARN  2022-08-06T17:53:09.467 tokio-runtime-worker(ThreadId(8)) [1P:foundation/op-sys-info/src/process_information/linux.rs:247] binary permission verification failed for /opt/google/cros-containers/lib/ld-linux-x86-64.so.2
WARN  2022-08-06T17:53:09.467 tokio-runtime-worker(ThreadId(8)) [1P:foundation/op-sys-info/src/process_information/linux.rs:247] binary permission verification failed for /opt/google/cros-containers/lib/ld-linux-x86-64.so.2
INFO  2022-08-06T17:53:09.468 tokio-runtime-worker(ThreadId(6)) [1P:ssh/op-ssh-agent/src/lib.rs:419] Session was not authorized

open log file error log lines:

ERROR 2022-08-06T17:53:55.352 tokio-runtime-worker(ThreadId(1)) [1P:op-app/src/app/backend.rs:213] AppError at op-app/src/app/backend/logs_directory.rs:25:9
Reveal(LinuxError(Dbus(MethodError("org.freedesktop.DBus.Error.ServiceUnknown", Some("The name org.freedesktop.FileManager1 was not provided by any .service files"), Msg { type: Error, sender: "org.freedesktop.DBus", reply-serial: 2, body: Signature: [
        s (115),
] }))))

Stack backtrace:
   0: <core::future::from_generator::GenFuture<T> as core::future::future::Future>::poll
   1: <core::future::from_generator::GenFuture<T> as core::future::future::Future>::poll
   2: tokio::runtime::task::core::CoreStage<T>::poll
   3: tokio::runtime::task::harness::poll_future
   4: tokio::runtime::task::harness::Harness<T,S>::poll
   5: std::thread::local::LocalKey<T>::with
   6: tokio::runtime::thread_pool::worker::Context::run_task
   7: tokio::runtime::thread_pool::worker::Context::run
   8: tokio::macros::scoped_tls::ScopedKey<T>::set
   9: tokio::runtime::thread_pool::worker::run
  10: <tokio::runtime::blocking::task::BlockingTask<T> as core::future::future::Future>::poll
  11: std::panicking::try
  12: tokio::runtime::task::harness::Harness<T,S>::poll
  13: tokio::runtime::blocking::pool::Inner::run
  14: std::sys_common::backtrace::__rust_begin_short_backtrace
  15: core::ops::function::FnOnce::call_once{{vtable.shim}}
  16: <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once
             at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/alloc/src/boxed.rs:1861:9
      <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once
             at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/alloc/src/boxed.rs:1861:9
      std::sys::unix::thread::Thread::new::thread_start
             at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/sys/unix/thread.rs:108:17
  17: start_thread
  18: clone

1Password Version: 8.8.0
Extension Version: Not Provided
OS Version: ChromeOS 104.0.5112.83 (Official Build)
Browser:_ Not Provided
Referrer: forum-search:Chromebook

Comments

  • Hi @deinspanjer! We have not yet tested the SSH agent in a Chromebook Linux environment. Thanks for trying it out and for reporting your findings. It seems that the error you're encountering is caused by the 1Password desktop app not being able to obtain the required process information about the app requesting SSH access. The app needs this information to enforce the authorization model described in the docs.

    Unfortunately there is probably not a lot you can do to address this issue. For us, it would be interesting to know what window manager is being used in your Chromebook Linux environment. Moreover could you submit an SSH prompting diagnostics report as described here: https://developer.1password.com/docs/ssh/agent/troubleshooting/ ?

    I can't promise an easy fix, but given this information we can better assess what it takes to add support for this and we can consider doing so in the future.

  • eh1921890
    eh1921890
    Community Member

    I'm also encountering similar but with just doing an op vault ls.


  • Hi @eh1921890:

    As my colleague Marton mentioned, are you able to share which window manager you're using?

    Jack

  • kriscarle
    kriscarle
    Community Member

    @Jack.P_1P looks like ChromeOS uses Wayland with a custom interface called Sommelier, they explain the implementation here https://chromeos.dev/en/posts/integrating-steam-into-chromeos and https://chromium.googlesource.com/chromiumos/platform2/+/HEAD/vm_tools/sommelier/

    Hope that helps! I'm getting the "agent refused operation" as well.
    1Password for Linux 8.9.14 (80914009)
    ChromeOS: 110.0.5481.41 (beta) with Linux VM: Ubuntu 20.04.4 LTS

  • kriscarle
    kriscarle
    Community Member

    I also followed the instructions from @MartonS1P and got the ssh-diagnostics by installing the beta version: 8.10.0 (81000020)

    Here are the two files generated in the ssh-diagnostics folder, doesn't seem very interesting in this case, but in case it helps.

    {
      "sid": 838,
      "processes": [
        {
          "pid": 1589,
          "command_line": [
            "ssh",
            "root@<redacted:host>"
          ],
          "executable_path": "/usr/bin/ssh",
          "integrity": {
            "is_root_owned": true
          },
          "tty": "pts/1"
        },
        {
          "pid": 838,
          "command_line": [
            "-bash"
          ],
          "executable_path": "/usr/bin/bash",
          "integrity": {
            "is_root_owned": true
          },
          "tty": "pts/1"
        },
        {
          "pid": 835,
          "command_line": [
            "/opt/google/cros-containers/bin/../lib/ld-linux-x86-64.so.2",
            "--argv0",
            "/opt/google/cros-containers/bin/vshd",
            "--library-path",
            "/opt/google/cros-containers/bin/../lib",
            "--inhibit-rpath",
            "/opt/google/cros-containers/bin/vshd.elf",
            "--inherit_env",
            "--forward_to_host_port=3255544555"
          ],
          "executable_path": "/opt/google/cros-containers/lib/ld-linux-x86-64.so.2",
          "integrity": {
            "is_root_owned": false
          }
        },
        {
          "pid": 591,
          "command_line": [
            "/opt/google/cros-containers/bin/../lib/ld-linux-x86-64.so.2",
            "--argv0",
            "/opt/google/cros-containers/bin/garcon",
            "--library-path",
            "/opt/google/cros-containers/bin/../lib",
            "--inhibit-rpath",
            "/opt/google/cros-containers/bin/garcon.elf",
            "--server"
          ],
          "executable_path": "/opt/google/cros-containers/lib/ld-linux-x86-64.so.2",
          "integrity": {
            "is_root_owned": false
          }
        },
        {
          "pid": 207,
          "command_line": [
            "/lib/systemd/systemd",
            "--user"
          ],
          "executable_path": "/usr/lib/systemd/systemd"
        }
      ]
    }
    
    
    {
      "pid": 835,
      "tty_pid": 838,
      "executable_path": "/opt/google/cros-containers/lib/ld-linux-x86-64.so.2",
      "command_line": [
        "/opt/google/cros-containers/bin/../lib/ld-linux-x86-64.so.2",
        "--argv0",
        "/opt/google/cros-containers/bin/vshd",
        "--library-path",
        "/opt/google/cros-containers/bin/../lib",
        "--inhibit-rpath",
        "/opt/google/cros-containers/bin/vshd.elf",
        "--inherit_env",
        "--forward_to_host_port=3255544555"
      ],
      "application_name": "ld-linux-x86-64.so.2"
    }
    
  • Hi @kriscarle:

    Thanks for sharing your SSH diagnostics. I'll share them with the team as we continue to investigate support for 1Password SSH agent on Chromebooks.

    Jack

  • kriscarle
    kriscarle
    Community Member

    Good news @deinspanjer and @eh1921890 the ssh agent just started working for me with beta version 8.10.5 (81005010) on Chrome OS 113.0.5672.21 beta. I opened 1Password and unlocked my vault, then when running ssh in the terminal I got a popup window from 1Password to authorize.

  • @kriscarle Great to hear that it works now!

This discussion has been closed.