ssh agent errors on older Cisco devices

cb3290jaskl
cb3290jaskl
Community Member
edited December 4 in SSH

It looks like there is an issue with the SSH agent when connecting to equipment using ssh-rsa for the host keys. Using ssh-rsa auth keys works fine, I am able to use the same key to connect to Ubuntu machines and other newer equipment.

This is the error I get when connecting to a Cisco switch running IOS 15.2(7)E5:

debug1: Offering public key: /Users/user/.ssh/id_rsa RSA SHA256:hash agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/user/.ssh/id_rsa RSA SHA256:hash agent
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:hash
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:hash
sign_and_send_pubkey: signing failed for RSA "/Users/user/.ssh/id_rsa" from agent: agent refused operation

This is what the 1Password log shows:

WARN 2024-12-03T21:51:12.504+00:00 runtime-worker(ThreadId(8)) [1P:ssh/op-ssh-keys/src/private_key.rs:196] signing with ssh-rsa; SHA-1 may be insecure
ERROR 2024-12-03T21:51:12.504+00:00 runtime-worker(ThreadId(8)) [1P:/Users/build/4kwQZK_M/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:665] Error handling sign request: UnsupportedOperation
ERROR 2024-12-03T21:58:15.937+00:00 runtime-worker(ThreadId(2)) [1P:/Users/build/4kwQZK_M/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:665] Error handling sign request: UnsupportedOperation

These are required configs to connect to these switches in the ssh config file:

HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

Is there a way to connect to these older devices with the 1Password agent? For now I am using the -i flag and supplying my original key file as a workaround. I'm really trying to get rid of these key files on my machine now.

1Password Version: 8.10.54
Extension Version: Not Provided
OS Version: macOS 15.1.1
Browser: Not Provided

Comments

  • sia
    sia
    Community Member

    This regression has indeed happened in 1Password for Mac 8.10.54; this change of behavior does not appear to be documented in release notes; combined with auto-update by default this does not inspire confidence :-(

  • floris_1P
    floris_1P

    The fix for this is available already on the nightly release channel and will go out in the next beta and stable releases next week.