SSH Agent: agent refused operation

rgruyters · September 2022

When trying to use SSH Agent with 1Password on my Ubuntu system (22.04) I get the following message:

sign_and_send_pubkey: signing failed for ED25519 "SSH Key" from agent: agent refused operation

I can see my SSH key with ssh-add -l, but when trying to use it, it doesn't work. The SSH key works fine on my Mac.
Tried rebooting the system, but no luck.

Here is some trace logging from 1password:

DEBUG 2022-09-08T20:44:42.058 tokio-runtime-worker(ThreadId(1)) [1P:ssh/op-ssh-agent/src/lib.rs:194] connection received
DEBUG 2022-09-08T20:44:42.059 tokio-runtime-worker(ThreadId(1)) [1P:ssh/op-ssh-agent/src/lib.rs:379] Handling SSH agent message: RequestIdentities
TRACE 2022-09-08T20:44:42.059 ThreadId(7) [1P:op-db/src/db.rs:284] >transaction #49 (db:Db(0x7fb48a46f5a0, /home/robin/.config/1Password/1password.sqlite))
TRACE 2022-09-08T20:44:42.059 ThreadId(7) [1P:op-db/src/db.rs:284] <transaction #49 (db:Db(0x7fb48a46f5a0, /home/robin/.config/1Password/1password.sqlite)) (0.000s)
TRACE 2022-09-08T20:44:42.059 ThreadId(7) [1P:op-db-queue/src/operations.rs:1262] >transaction #tx#49(get_objects_by)
DEBUG 2022-09-08T20:44:42.059 ThreadId(7) [1P:op-db/src/transaction.rs:57] COMMIT(tx#49(get_objects_by))
TRACE 2022-09-08T20:44:42.059 ThreadId(7) [1P:op-db-queue/src/operations.rs:1262] <transaction #tx#49(get_objects_by) (0.000s)
DEBUG 2022-09-08T20:44:42.337 tokio-runtime-worker(ThreadId(1)) [1P:ssh/op-ssh-agent/src/lib.rs:379] Handling SSH agent message: SignRequest
DEBUG 2022-09-08T20:44:42.338 tokio-runtime-worker(ThreadId(1)) [1P:foundation/op-sys-info/src/process_information/linux.rs:57] no process path could be found during verification
DEBUG 2022-09-08T20:44:42.346 tokio-runtime-worker(ThreadId(1)) [1P:ssh/op-ssh-agent/src/lib.rs:400] process info for client: SessionProcess { pid: 2521, tty_pid: Some(2523), executable_path: /usr/bin/kitty, command_line: <Vec < String >>, application_name: <String> }
TRACE 2022-09-08T20:44:42.347 ThreadId(7) [1P:op-db/src/db.rs:284] >transaction #50 (db:Db(0x7fb48a46f5a0, /home/robin/.config/1Password/1password.sqlite))
TRACE 2022-09-08T20:44:42.347 ThreadId(7) [1P:op-db/src/db.rs:284] <transaction #50 (db:Db(0x7fb48a46f5a0, /home/robin/.config/1Password/1password.sqlite)) (0.000s)
TRACE 2022-09-08T20:44:42.347 ThreadId(7) [1P:op-db-queue/src/operations.rs:1262] >transaction #tx#50(get_objects_by)
DEBUG 2022-09-08T20:44:42.347 ThreadId(7) [1P:op-db/src/transaction.rs:57] COMMIT(tx#50(get_objects_by))
TRACE 2022-09-08T20:44:42.347 ThreadId(7) [1P:op-db-queue/src/operations.rs:1262] <transaction #tx#50(get_objects_by) (0.000s)
TRACE 2022-09-08T20:44:42.348 op_executor:invocation_loop(ThreadId(11)) [1P:op-app/src/app/backend.rs:217] >blocking event loop invoke Invocation(Internal(NextTick(op-app/src/app/backend/automated_unlock.rs:28)))
TRACE 2022-09-08T20:44:42.348 op_executor:invocation_loop(ThreadId(11)) [1P:op-app/src/app/backend.rs:217] <blocking event loop invoke Invocation(Internal(NextTick(op-app/src/app/backend/automated_unlock.rs:28))) (0.000s)
TRACE 2022-09-08T20:44:42.358 tokio-runtime-worker(ThreadId(1)) [1P:op-data-layer/src/unlock.rs:215] >unlock_with_key
TRACE 2022-09-08T20:44:42.370 tokio-runtime-worker(ThreadId(1)) [1P:op-data-layer/src/unlock.rs:215] <unlock_with_key (0.012s)
DEBUG 2022-09-08T20:44:42.370 tokio-runtime-worker(ThreadId(1)) [1P:op-automated-unlock/src/lib.rs:552] Denied
INFO  2022-09-08T20:44:42.370 tokio-runtime-worker(ThreadId(1)) [1P:ssh/op-ssh-agent/src/lib.rs:419] Session was not authorized

1Password Version: 8.9.4
Extension Version: Not Provided
OS Version: Ubuntu 22.04
Browser:_ Not Provided

donbeave · November 2022

Same on the latest macOS Ventura 13.0 (22A380)

sign_and_send_pubkey: signing failed for ED25519 "donbeave SSH" from agent: agent refused operation

And 1Password log file contains such error message:

INFO 2022-11-12T04:18:02.059 tokio-runtime-worker(ThreadId(2)) [1P:ssh/op-ssh-agent/src/lib.rs:450] Session was not authorized

Dayton_ag · November 2022

Hey y'all, I'm sorry for the delay here. I've had a hand at reproducing this and I've noticed that I can recreate this set of logs when I boot up and try an SSH command, without unlocking 1Password. When trying the SSH command, is 1Password currently locked and minimized to your menu / system tray? If so, does the 1Password app open when you run your SSH command, or does it remain locked in the background?

The next time you run into this issue, could you open the 1Password desktop app, sign in, then re-run your SSH command and let me know if you see an improvement?

Thanks y'all!

iono · December 2022

Thank you @Dayton_ag. I've been attempting to solve my issues with 1Password & SSH. I followed all instructions on the docs and got the same error "Session was not authorized" in my logs. After countless attempts at fixing it, and many other one line commands later. The only thing that fixed it was locking 1Password desktop app, then signing back into the application using Windows Hello. This then gave me the option of using my bio metrics to sign git, and use ssh.

This I believe was due to the fact I had already signed in to 1Password desktop app previously, and enabled SSH access, in order for it to work and authenticate properly I had to lock and re sign in like you suggested to donbeave.

Dayton_ag · December 2022

Hey @iono thanks for following up, and for sharing what got things working for you! This was likely needed to facilitate the Hello authorization prompts. Nonetheless, I'm glad to hear the SSH Agent is working for you now! 🙂

jumar · May 2023

UPDATE: I had to restart my computer
It would be helpful to mention this in the official instructions.

I'm facing the same problem on macOS 13.3.1 (a).
No matter what I try to do I always get this error when doing git fetch from a github repo

    sign_and_send_pubkey: signing failed for ED25519 "/Users/jumar/Downloads/id_ed25519.pub" from agent: agent refused operation

1Password log contains these messages:

    INFO  2023-05-18T09:47:11.828 tokio-runtime-worker(ThreadId(8)) [1P:foundation/op-sys-info/src/process_information/macos/non_app_store.rs:86] failed to find NSApplication related to pid 3960
    INFO  2023-05-18T09:47:11.837 tokio-runtime-worker(ThreadId(1176)) [1P:foundation/op-apple/src/biometry_service.rs:308] System biometry info: BiometricStatus { current_policy: BiometricsOnly, current_method: TouchId, current_availability: NotEnrolled }
    INFO  2023-05-18T09:47:15.074 tokio-runtime-worker(ThreadId(3)) [1P:ssh/op-ssh-agent/src/lib.rs:541] Session was not authorized

Even if my 1Password app is opened and unlocked it's still the same error.

More SSH logs:

debug1: Next authentication method: publickey
debug1: Offering public key: /Users/jumar/Downloads/id_ed25519.pub ED25519 SHA256:As31qZ4Rff4WbHnS6nikN84c+FRxbMERDnvYIgexE8c explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/jumar/Downloads/id_ed25519.pub ED25519 SHA256:As31qZ4Rff4WbHnS6nikN84c+FRxbMERDnvYIgexE8c explicit agent
debug3: sign_and_send_pubkey: using publickey with ED25519 SHA256:As31qZ4Rff4WbHnS6nikN84c+FRxbMERDnvYIgexE8c
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:As31qZ4Rff4WbHnS6nikN84c+FRxbMERDnvYIgexE8c
sign_and_send_pubkey: signing failed for ED25519 "/Users/jumar/Downloads/id_ed25519.pub" from agent: agent refused operation

floris_1P · May 2023

@jumar Which 1Password version are you on?

jumar · May 2023

@floris_1P this is my version at the moment:
1Password for Mac 8.10.6
81006027, on PRODUCTION channel

As I said, the problem was fixed after restarting the computer but it was a bit unintuitive.

SSH Agent: agent refused operation

Comments