ssh agent errors on older Cisco devices

cb3290jaskl
cb3290jaskl
Community Member
edited December 2024 in SSH

It looks like there is an issue with the SSH agent when connecting to equipment using ssh-rsa for the host keys. Using ssh-rsa auth keys works fine, I am able to use the same key to connect to Ubuntu machines and other newer equipment.

This is the error I get when connecting to a Cisco switch running IOS 15.2(7)E5:

debug1: Offering public key: /Users/user/.ssh/id_rsa RSA SHA256:hash agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/user/.ssh/id_rsa RSA SHA256:hash agent
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:hash
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:hash
sign_and_send_pubkey: signing failed for RSA "/Users/user/.ssh/id_rsa" from agent: agent refused operation

This is what the 1Password log shows:

WARN 2024-12-03T21:51:12.504+00:00 runtime-worker(ThreadId(8)) [1P:ssh/op-ssh-keys/src/private_key.rs:196] signing with ssh-rsa; SHA-1 may be insecure
ERROR 2024-12-03T21:51:12.504+00:00 runtime-worker(ThreadId(8)) [1P:/Users/build/4kwQZK_M/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:665] Error handling sign request: UnsupportedOperation
ERROR 2024-12-03T21:58:15.937+00:00 runtime-worker(ThreadId(2)) [1P:/Users/build/4kwQZK_M/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:665] Error handling sign request: UnsupportedOperation

These are required configs to connect to these switches in the ssh config file:

HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

Is there a way to connect to these older devices with the 1Password agent? For now I am using the -i flag and supplying my original key file as a workaround. I'm really trying to get rid of these key files on my machine now.

1Password Version: 8.10.54
Extension Version: Not Provided
OS Version: macOS 15.1.1
Browser: Not Provided

Comments

  • sia
    sia
    Community Member

    This regression has indeed happened in 1Password for Mac 8.10.54; this change of behavior does not appear to be documented in release notes; combined with auto-update by default this does not inspire confidence :-(

  • floris_1P
    floris_1P

    The fix for this is available already on the nightly release channel and will go out in the next beta and stable releases next week.