SSH Agent Error: "error: Error: AppError { error: could not authenticate with ssh agent ..."

ghostsghosts
Community Member
edited September 26 in SSH

Hi,

I've been using SSH agent in 1Password 8 for both signing my commits and for authentication (push/pull).

The past couple of days I've been having this issue on my intel mac where it would not authenticate with 1password.

This is the error

error: Error: AppError { error: could not authenticate with ssh agent, location: Location { file: "ssh/op-ssh-sign/src/ops.rs", line: 95, col: 37 } }

I tried it in multiple terminal emulators (iTerm, Alacritty, macOS Terminal).

The problem does not resolve when I restart my mac.

I tried enabling and disabling the SSH Agent but that didn't help. Would appreciate some help with this because it makes this feature unusable (I'm unable to make commits/push/pull).

Comments

  • jvacekjvacek
    Community Member

    Same as above, with the same line:col reference

  • jvacekjvacek
    Community Member

    Ok I worked around this by forcefully downgrading from the beta to production channel.

    I removed 1password 8 with CleanMyMac which sweeped up a lot of pref files, and then I also had to remove the whole container as described here https://1password.community/discussion/129617/update-from-beta-issues.

    After a re-install, I had a small issue with re-signing into the account when it offered it to me, so I just removed and re-added the offending one.

  • floris_1Pfloris_1P

    Team Member

    That is odd, does SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l still work and also show your signing key?

  • jvacekjvacek
    Community Member

    The problem manifested itself again for me, running the command above does show my keys but trying to make a git commit with the signing enabled will throw the same error

  • jvacekjvacek
    Community Member
    edited September 27

    ~Any way I can deliver you the diagnostics zip file securely?~ See below

  • jvacekjvacek
    Community Member

    I see this in the logs:
    WARN 2022-09-27T14:29:22.643 tokio-runtime-worker(ThreadId(4)) [1P:ssh/op-ssh-agent/src/lib.rs:428] failed to get private key from session

  • jvacekjvacek
    Community Member

    @floris_1P I've sent my full diagnostics zip to [email protected] with the subject:

    @Floris_1P: SSH Agent Error: "error: Error: AppError { error: could not authenticate with ssh agent ..."

  • floris_1Pfloris_1P

    Team Member

    Do you have multiple accounts in 1Password that have different account passwords? If so, could you try locking 1Password and unlocking the account that has the key you've specified in your Gitconfig?

  • jvacekjvacek
    Community Member

    Multiple accounts with different passwords are indeed at play here.

    The account that has the key was actually locked, which did not occur to me at all. When it is unlocked, it seems to work just fine.

  • floris_1Pfloris_1P

    Team Member

    Aha, that explains it. Properly handling these "partially locked" scenarios in the agent is something we're working on at the moment.

  • jvacekjvacek
    Community Member

    Good to know, thanks! I hope I didn't hijack @ghosts ' original issue though, it's possible they were experiencing the issue due to something else?

  • ghostsghosts
    Community Member

    My version:
    1Password for Mac 8.9.4, 80904044, on PRODUCTION channel
    Has 1 account only

    My mac info:
    macOS Monterey 12.6 (21G115) (Intel)

    The command does seem to list my keys:

    But commits/push/pull are still failing

    This issue is not present on my work computer (M1 mac laptop, running the same version of 1Password, with 2 accounts)

  • floris_1Pfloris_1P

    Team Member
    edited September 28

    Can you run this command from your repo directory:

    git config user.signingkey
    

    And confirm that that key is present in your ssh-add -L output?

  • ghostsghosts
    Community Member

    @floris_1P yes the output of those two commands contains the same key.

    Weirdly enough it's working correctly again on my personal computer, all without any change or even restart on my part.
    but started having this same error on my M1 work computer. Not sure what to think of this 🤔

    I'll try running those commands again on my work computer tomorrow and report back

  • floris_1Pfloris_1P

    Team Member

    If you still get the error on your work computer, could you see if there's anything in the 1Password logs when you run a failing command? Logs on macOS are here: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

  • uwsuws
    Community Member

    Hi @floris_1P – I am having the same issue as @ghosts. My intention is to simply use SSH for git (initially for one git user, and then later to add another). For now, I can't seem to get just one setup.

    Some knowns:

    • 1P is setup with two Organization accounts, one of which I am a member of, and another I am the owner of.
    • The key/signing in question are stored in a Private folder in the later (account that I own)
    • I am signed into both accounts on Mac M1 Desktop App

    Here are some relevant outputs if helpful:

    $ SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -l

    256 SHA256:-----KAKmM Github Access (ED25519)
    256 SHA256:-----jNFvQ Github Signing (ED25519)
    

    $ git config user.signingkey

    ssh-ed25519 -----WOWk0
    
    

    $ssh-add -L

    The agent has no identities.

    $ .ssh % cat config

    Host *
        IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
    
    

    I'm happy to share known_hosts, known_hosts.old and id.rsa if needed as well.

    And same as @ghosts, I am encountering the same issue:

    error: Error: AppError { error: could not authenticate with ssh agent, location: Location { file: "ssh/op-ssh-sign/src/ops.rs", line: 95, col: 37 } }
    
    fatal: failed to write commit object
    

    Would love some help as when you google this only one result (this community page) appears.

    Thanks in advance!
    Jacob

  • floris_1Pfloris_1P

    Team Member

    @uws Does this command return your signing key?

    SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -L | grep "$(git config user.signingkey)"
    

    If so, does anything appear in the 1Password logs when a commit fails? On macOS: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

  • uwsuws
    Community Member

    @floris_1P – thanks for your reply.

    This returns nothing:

    SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -L | grep "$(git config user.signingkey)"
    
    

    This returns:
    zsh: no such file or directory: /path/to/dir

    ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

  • ebridgesebridges
    Community Member

    @floris_1P I'm getting the exact same issue that was reported by @uws

    The command: SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ssh-add -L | grep "$(git config user.signingkey)" is returning the correct key.

    The console shows the following error when trying to commit:

    $ git commit -S -m 'test message'
    error: Error: AppError { error: could not authenticate with ssh agent, location: Location { file: "ssh/op-ssh-sign/src/ops.rs", line: 95, col: 37 } }
    
    fatal: failed to write commit object
    

    The log file 1Password_rCURRENT.log shows the following when it fails:

    INFO  2022-10-21T12:33:53.140 tokio-runtime-worker(ThreadId(277)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
    INFO  2022-10-21T12:33:53.147 tokio-runtime-worker(ThreadId(277)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
    ERROR 2022-10-21T12:33:53.149 tokio-runtime-worker(ThreadId(5)) [1P:op-automated-unlock/src/lib.rs:294] Failed to authorize using system biometry: FailedToUnlockWithKeys(BiometryUnavailable)
    INFO  2022-10-21T12:33:53.149 tokio-runtime-worker(ThreadId(5)) [1P:ssh/op-ssh-agent/src/lib.rs:419] Session was not authorized
    
  • hanpqhanpq
    Community Member
    edited October 21

    I had this to on Windows, exact same error message and "session was not authorized" in the logs. However I figured out the cause in my case. I was using Remote Desktop to connect to the machine. And if I use the computer directly it works just fine.

    It seems to me Windows disables Windows Hello when connecting through a remote session and I guess 1Password fails to invoke authentication with Windows Hello which if I've understood it correctly this feature relies upon.

    (At first glanse it might make sense to disable Windows Hello due to the biometric features however PIN would still work in a remote session in my opinion but that is a topic for Microsoft i guess)

    I do realize that this is probably a limitation in Windows/Windows Hello but might I suggest that the op-ssh-agent.exe could verify if Windows Hello is available and if not throw a suitable error message?

    Just trowing this out there as a possible cause if anyone else experiences this on Windows as well :)

  • ghostsghosts
    Community Member

    @floris_1P The issue returned... :(

    Here are the log messages I'm seeing after it happens:

    INFO  2022-10-22T01:07:36.382 tokio-runtime-worker(ThreadId(9)) [1P:foundation/op-sys-info/src/process_information/macos/non_app_store.rs:81] failed to find NSApplication related to pid 3138
    INFO  2022-10-22T01:07:36.398 tokio-runtime-worker(ThreadId(1168)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
    INFO  2022-10-22T01:07:36.412 tokio-runtime-worker(ThreadId(1168)) [1P:foundation/op-apple/src/biometry_service.rs:287] System biometry info: BiometricStatus { current_policy: WatchOnly, current_method: TouchId, current_availability: Available }
    ERROR 2022-10-22T01:07:36.419 tokio-runtime-worker(ThreadId(9)) [1P:op-automated-unlock/src/lib.rs:294] Failed to authorize using system biometry: FailedToUnlockWithKeys(BiometryUnavailable)
    INFO  2022-10-22T01:07:36.419 tokio-runtime-worker(ThreadId(9)) [1P:ssh/op-ssh-agent/src/lib.rs:419] Session was not authorized
    

    To add more background: I use my macOS laptop with Touch ID closed and rely on Apple Watch for Biometric sign in. I tried opening the laptop and trying again then all of a sudden it started working (even after closing the lid again, as long as I authenticated with TouchID - maybe because at this point it's cached but when the auth expires it will stop working again). I hope this helps debug the issue.

  • Foosh135Foosh135
    Community Member

    Hey all, I had the exact same problem as @ghosts, and I was able to fix the problem on my own (without following any of the above suggestions).

    Turns out, the public key stored in my 1Pass SSH key didn't match the output of git config user.signingkey for some weird reason.
    The fix was to simply open my ~/.gitconfig file and manually replace the value of user.signingkey so that it matched the key stored in 1Pass. After I saved the file and closed it, the problem went away (I was able to authenticate my commits again).

    Hopefully this tip will help someone else here!

  • ghostsghosts
    Community Member
    edited October 24

    @Foosh135 are you sure the error stacktrace including line number you got matches the stacktrace I posted at the top of the post? I know for a fact that the fix you’re describing isn’t related to what I’m experiencing because it works on and off based on biometric sensor availability (as indicated by the logs).

    (Line 95 col 37)

    If it does match it could be that the stacktrace just points to the generic error handler they have in their cli.

  • Foosh135Foosh135
    Community Member

    @ghosts yup, my stacktrace matched yours exactly, down to the line 95 col 37 part.

    $ git commit -m "Modified README"
    error: Error: AppError { error: could not authenticate with ssh agent, location: Location { file: "ssh/op-ssh-sign/src/ops.rs", line: 95, col: 37 } }

    fatal: failed to write commit object

  • myusuf3myusuf3
    Community Member

    I am experiencing the same thing today as well with nothing changing in my setup either.

  • myusuf3myusuf3
    Community Member

    Removing the ssh signing seems to have fixed it. FYI I only have one account logged into the client.

  • myusuf3myusuf3
    Community Member

    I am now getting another error

    sign_and_send_pubkey: signing failed for RSA "" from agent: agent refused operation

  • MayMeowMayMeow
    Community Member
    edited November 3

    @hanpq I had exact same issue wihich i "fixed" with installing OpenSSH from Microsoft's (powershell/Win32-OpenSSH) GitHub repository and it's not working at all (but i get rid of that error message :D)

    It's now telling me (when I try to sign commits) that I have to have my private keys stored in Private/Personal Vault, where they exactly are. (My Vault has name: Personal)

    Other behavior are exactly the same as before:

    • ssh-add -L tells that it don't have any identities
    • trying to authenticate to servers returns message about that my public key is in invalid format.

    Note: I'm currently on beta channel, and I had installed application from production and from nightly channel before as well.

  • jamiefolsomjamiefolsom
    Community Member

    Same issue here as well -- I also am running an intel mac laptop with touch id, but lid closed, and a paired apple watch attempting to allow confirmation, as was @ghosts. Updating signing key in ~/.gitconfig had no effect.

  • DudeThatsErinDudeThatsErin
    Community Member

    No update from 1P support? Why? This is a pretty big issue

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file