ssh-agent on linux: sign_and_send_pubkey agent refused operation
I'm trying to get ssh-agent integration working on linux with 1password 8. When I try a git pull to an ssh-based server, auth via the agent fails with the following relevant line from verbose output:
debug1: Next authentication method: publickey debug1: Offering public key: (redacted) agent debug1: Server accepts key: (redacted) agent sign_and_send_pubkey: signing failed for ED25519 "(redacted)" from agent: agent refused operation
The 1password ssh agent is running. I can see my key listed in the output of ssh-add -l
.
1Password Version: 8.9.4
Extension Version: Not Provided
OS Version: arch linux with kernel 6.0.2-arch1-1
Browser:_ N/A
Comments
-
Sorry to hear you’re running into a problem with the ssh agent.
Are you able to authenticate directly via ssh to anything? Try
ssh -T git@github.com
(this assumes GitHub) and let us know the results.And just to check, have you gone through our Developer Documentation: https://developer.1password.com/docs/ssh/agent/? Linux requires Polkit and a non-Snap install for the ssh agent to work.
0 -
I get the same 'agent refused operation' error no matter which host I'm connecting to.
❯ ssh -T git@github.com sign_and_send_pubkey: signing failed for ED25519 "/home/plyons/.ssh/id_ed25519" from agent: agent refused operation git@github.com: Permission denied (publickey).
0 -
I'm on arch and I have extra/polkit installed and 1password 8.9.8-9 and 1password-cli 2.7.3-1
0 -
I have the same experience as @focusaurus .
ssh provides the correct key, The server accepts it. The agent fails to sign it with theagent refused operation
Also on arch with 1password version 8.9.14
0 -
Hmm, it seems I had the system polkit service running, but not an agent process running within my X session. Getting that working seems to have made the
op
CLI work again. I wonder if that will help with the SSH agent too.0 -
@focusaurus Could I ask how you solved your issue? I'm running into the exact same issue.
In my case, I had to remove the 1password IdentityAgent from my ssh config, export my private key, set its permissions properly (they weren't set right by default when exported by 1Password), and then my
ssh -T git@github.com
would succeed.It may have something to do with 1Password not setting proper permissions on the keys that it loads into the ssh-agent, but I can't really verify that.
edit: Well, looks like all I needed to do was restart 1password. Strange. Maybe it was from a stale update.
0 -
Yeah it appears with a newer release of 1Password I turned on the ssh-agent, got my config set up according to the docs again, and restarted 1password and now it seems to be working!
Details for posterity:
1Password for Linux 8.10.4 (81004032)
0