ssh-agent on linux: sign_and_send_pubkey agent refused operation

focusaurus
focusaurus
Community Member
edited October 2022 in SSH

I'm trying to get ssh-agent integration working on linux with 1password 8. When I try a git pull to an ssh-based server, auth via the agent fails with the following relevant line from verbose output:

debug1: Next authentication method: publickey
debug1: Offering public key: (redacted) agent
debug1: Server accepts key: (redacted) agent
sign_and_send_pubkey: signing failed for ED25519 "(redacted)" from agent: agent refused operation

The 1password ssh agent is running. I can see my key listed in the output of ssh-add -l.


1Password Version: 8.9.4
Extension Version: Not Provided
OS Version: arch linux with kernel 6.0.2-arch1-1
Browser:_ N/A

Comments

  • Sorry to hear you’re running into a problem with the ssh agent.

    Are you able to authenticate directly via ssh to anything? Try ssh -T git@github.com (this assumes GitHub) and let us know the results.

    And just to check, have you gone through our Developer Documentation: https://developer.1password.com/docs/ssh/agent/? Linux requires Polkit and a non-Snap install for the ssh agent to work.

  • focusaurus
    focusaurus
    Community Member

    I get the same 'agent refused operation' error no matter which host I'm connecting to.

    ❯ ssh -T git@github.com
    sign_and_send_pubkey: signing failed for ED25519 "/home/plyons/.ssh/id_ed25519" from agent: agent refused operation
    git@github.com: Permission denied (publickey).
    
  • focusaurus
    focusaurus
    Community Member

    I'm on arch and I have extra/polkit installed and 1password 8.9.8-9 and 1password-cli 2.7.3-1

  • mwmdev
    mwmdev
    Community Member

    I have the same experience as @focusaurus .
    ssh provides the correct key, The server accepts it. The agent fails to sign it with the

    agent refused operation

    Also on arch with 1password version 8.9.14

  • focusaurus
    focusaurus
    Community Member

    Hmm, it seems I had the system polkit service running, but not an agent process running within my X session. Getting that working seems to have made the op CLI work again. I wonder if that will help with the SSH agent too.

  • dabe
    dabe
    Community Member
    edited April 2023

    @focusaurus Could I ask how you solved your issue? I'm running into the exact same issue.

    In my case, I had to remove the 1password IdentityAgent from my ssh config, export my private key, set its permissions properly (they weren't set right by default when exported by 1Password), and then my ssh -T git@github.com would succeed.

    It may have something to do with 1Password not setting proper permissions on the keys that it loads into the ssh-agent, but I can't really verify that.

    edit: Well, looks like all I needed to do was restart 1password. Strange. Maybe it was from a stale update.

  • focusaurus
    focusaurus
    Community Member
    edited April 2023

    Yeah it appears with a newer release of 1Password I turned on the ssh-agent, got my config set up according to the docs again, and restarted 1password and now it seems to be working!

    Details for posterity:

    1Password for Linux 8.10.4 (81004032)

This discussion has been closed.