Just tried to configure 1Password SSH and am having trouble (Windows 11)

TMoneyAllDey
TMoneyAllDey
Community Member
edited May 2022 in SSH

Hi, I get an error when I try the test recommended in the set up document. When I run ssh -T git@github.com, I get

sign_and_send_pubkey: signing failed: agent refused operation
git@github.com: Permission denied (publickey).

I'm using an existing RSA pem key I've used for github for many years. I imported it into 1Password and the fingerprint in github and in 1password match exactly. I installed the beta 8 version, I disabled openSSH service on my windows 11 machine, and I enabled the 1password SSH service in settings. I also turned on Windows Hello and set a pin. After all this, I restarted 1password.

If I run ssh-add -l, I see the single fingerprint I have imported into 1password.

If I go into 1password and disable the ssh service, I get

Error connecting to agent: No such file or directory

when running ssh-add -l so 1password SSH service is certainly being used

I just tried this command and found more info. ssh -vT git@github.com

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key:  RSA SHA256:xxx agent
debug1: Server accepts key:  RSA SHA256:xxx agent
sign_and_send_pubkey: signing failed: agent refused operation

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Windows 11

Comments

  • SV337
    SV337
    Community Member

    Hi, I'm experiencing the same exact issue, I'm on Arch Linux on the latest desktop beta version.
    However, ssh-add -l gives me

    Error connecting to agent: No such file or directory
    

    Of course, I enabled the SSH service in the settings as well.

  • TMoneyAllDey
    TMoneyAllDey
    Community Member

    @SV337, did you enable the service in the 1Password desktop app?

  • TMoneyAllDey
    TMoneyAllDey
    Community Member

    Further edits, if I generate a new SSH key and set up github, it works. My old password-protected PEM key is the one that fails. Very strange.

  • SV337
    SV337
    Community Member

    @TMoneyAllDey yes I enabled everything. That's weird because I also tried to generate a new SSH key and link it to Github but it didn't work. Did you use an RSA or Ed25519 key type ?

  • TMoneyAllDey
    TMoneyAllDey
    Community Member

    @SV337 , I used the new Ed25519 since my old keys are all RSA.

  • TMoneyAllDey
    TMoneyAllDey
    Community Member

    Your error reads like the 1password ssh service is failing to load. Can you try this command ssh -vT git@github.com?

  • SV337
    SV337
    Community Member

    Sure, I get more or less the same thing as you did:

    debug1: Will attempt key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
    debug1: Will attempt key:  ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
    debug1: Will attempt key:  ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
    debug1: Will attempt key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
    [...]
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
    debug1: Server accepts key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
    sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
    debug1: Offering public key:  ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
    debug1: Authentications that can continue: publickey
    debug1: Offering public key:  ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
    debug1: Authentications that can continue: publickey
    debug1: Offering public key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
    debug1: Server accepts key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
    sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
    [...]
    debug1: No more authentication methods to try.
    git@github.com: Permission denied (publickey).
    

    I have 4 keys setup on 1password at the moment, so I'm guessing it's able to retrieve these from the agent correctly.

  • SV337
    SV337
    Community Member

    @TMoneyAllDey Sure, I get more or less the same thing as you did:

    debug1: Will attempt key:  ED25519 SHA256:<sha256sum> agent
    debug1: Will attempt key:  ED25519 SHA256:<sha256sum> agent
    debug1: Will attempt key:  ED25519 SHA256:<sha256sum> agent
    debug1: Will attempt key:  ED25519 SHA256:<sha256sum> agent
    [...]
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key:  ED25519 SHA256:<sha256sum> agent
    debug1: Server accepts key:  ED25519 SHA256:<sha256sum> agent
    sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
    debug1: Offering public key:  ED25519 SHA256:<sha256sum> agent
    debug1: Authentications that can continue: publickey
    debug1: Offering public key:  ED25519 SHA256:<sha256sum> agent
    debug1: Authentications that can continue: publickey
    debug1: Offering public key:  ED25519 SHA256: agent
    debug1: Server accepts key:  ED25519 SHA256:<sha256sum> agent
    sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
    [...]
    debug1: No more authentication methods to try.
    git@github.com: Permission denied (publickey).
    

    I have 4 SSH keys on my 1Password vault at the moment, so it looks like it is able to retrieve these from the agent correctly.

  • TMoneyAllDey
    TMoneyAllDey
    Community Member

    Yeah, it looks like it is picking them up. We might have to wait until a 1password tech gets here.

  • ndom91
    ndom91
    Community Member
    edited February 2022

    Interesting, I'm pretty much at the same place.

    I've added a few of my keys to my vault, and ssh-add -l lists them all. When testing it with git@github.com, my systems behavior is pretty much the same as OP.

    ❯ ssh -vT git@github.com
    OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
    debug1: Reading configuration data /home/ndo/.ssh/config
    debug1: /home/ndo/.ssh/config line 11: Applying options for github.com
    debug1: /home/ndo/.ssh/config line 541: Applying options for *
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Connecting to github.com [140.82.121.4] port 22.
    debug1: Connection established.
    debug1: identity file /home/ndo/.ssh/id_ndo4.pub type 0
    debug1: identity file /home/ndo/.ssh/id_ndo4.pub-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.8
    debug1: Remote protocol version 2.0, remote software version babeld-e1420b26
    debug1: compat_banner: no match: babeld-e1420b26
    debug1: Authenticating to github.com:22 as 'git'
    debug1: load_hostkeys: fopen /home/ndo/.ssh/known_hosts2: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: rsa-sha2-512
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: SSH2_MSG_KEX_ECDH_REPLY received
    debug1: Server host key: ssh-rsa SHA256:abc123
    debug1: load_hostkeys: fopen /home/ndo/.ssh/known_hosts2: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
    debug1: Host 'github.com' is known and matches the RSA host key.
    debug1: Found key in /home/ndo/.ssh/known_hosts:41
    debug1: rekey out after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: rekey in after 134217728 blocks
    debug1: Will attempt key: /home/ndo/.ssh/id_ndo4.pub RSA SHA256:abc123 explicit agent
    debug1: Will attempt key:  RSA SHA256:abc123 agent
    debug1: Will attempt key:  ED25519 SHA256:abc123 agent
    debug1: Will attempt key:  RSA SHA256:abc123 agent
    debug1: SSH2_MSG_EXT_INFO received
    debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key: /home/ndo/.ssh/id_ndo4.pub RSA SHA256:abc123 explicit agent <-- this is the correct public key that should work imo
    debug1: Server accepts key: /home/ndo/.ssh/id_ndo4.pub RSA SHA256:abc123 explicit agent
    sign_and_send_pubkey: signing failed for RSA "/home/ndo/.ssh/id_ndo4.pub" from agent: agent refused operation
    debug1: Offering public key:  RSA SHA256:abc123 agent
    debug1: Authentications that can continue: publickey
    debug1: Offering public key:  ED25519 SHA256:abc123 agent
    debug1: Authentications that can continue: publickey
    debug1: Offering public key:  RSA SHA256:abc123 agent
    debug1: Authentications that can continue: publickey
    debug1: No more authentication methods to try.
    git@github.com: Permission denied (publickey).
    ~
    ❯ ssh-add -l
    2048 SHA256:abc123  (RSA)
    4096 SHA256:abc123  (RSA)
    256 SHA256:abc123  (ED25519)
    2048 SHA256:abc123  (RSA)
    

    I see the agent.sock file in ~/.1password/ and lsof says an active 1Password process has it open.

    I wanted to add, my .ssh/config entry for github.com looks like this:

    host github.com
      user git
      IdentityAgent "~/.1password/agent.sock"
      IdentityFile ~/.ssh/id_ndo4.pub
    

    System:
    Arch Linux 5.17
    OP Cli 2.0.0-beta.12
    OP App 8.6.0

  • innocenzi
    innocenzi
    Community Member
    edited February 2022

    I'm having a similar issue on Windows, where the SSH key works, but I still get sign_and_send_pubkey: signing failed: agent refused operation.

    ➜  ssh -T git@github.com
    sign_and_send_pubkey: signing failed: agent refused operation
    Hi xxx! You've successfully authenticated, but GitHub does not provide shell access.
    
    ➜  ssh-add -l
    256 SHA256:xxx  (ED25519)
    

    EDIT: well, in my case, restarting the gpg agent fixed it!

  • SV337
    SV337
    Community Member

    Sure, I get more or less the same thing as you can

    debug1: Will attempt key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
    debug1: Will attempt key:  ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
    debug1: Will attempt key:  ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
    debug1: Will attempt key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
    [...]
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
    debug1: Server accepts key:  ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
    sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
    debug1: Offering public key:  ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
    debug1: Authentications that can continue: publickey
    debug1: Offering public key:  ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
    debug1: Authentications that can continue: publickey
    debug1: Offering public key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
    debug1: Server accepts key:  ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
    sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
    [...]
    debug1: No more authentication methods to try.
    git@github.com: Permission denied (publickey).
    

    I have 4 SSH keys on my 1Password vault at the moment, so it looks like it is able to retrieve these from the agent correctly.

  • ndom91
    ndom91
    Community Member
    edited February 2022

    In my ~/.config/1Password/logs/1Password_rCURRENT.log file, I now see a bunch of lines of

    WARN  2022-02-19T12:31:26.930 tokio-runtime-worker(ThreadId(4)) [1P:ssh/op-ssh-agent/src/lib.rs:252] Unable to get client_info for pid: 123
    

    Whenever I try to use the agent, i.e. with the Github test cmd (ssh -T git@github.com) and see the agent refused operationo error message.

    Before these error messages, I do see some INFO type messages that the SSH agent was successfully started though!

  • SV337
    SV337
    Community Member

    Just a quick message to say that the issue was coming from tmux on my side. It is apparently a known issue that the 1Password team is working on.

    When trying it under alacritty + zsh without tmux it is working fine. I'll wait for the fix to land to start using it!

  • ndom91
    ndom91
    Community Member
    edited February 2022

    @SV337 thanks for the update! I tried it without tmux, however with alacritty + bash, and still wasn't able to get it to work. Sounds like the team is on it though, I'll hang tight as well and keep an eye on this thread! :)

    In case it helps, the 1Password_rCURRENT.log file now said Session was not authorized for each attempt from that alacritty / bash (w/o Tmux) window.

    I tried restarting the agent by unchecking and rechecking the option in the desktop 1P 8 client and saw SSH Agent is stopping and then SSH agent is starting in the logs. However, it immediately went back to Session was not authorized after attempting to login via SSH with the Agent set in ~/.ssh/config.

    I also intermittently had messages saying New unlock was suppressed because a previous unlock was rejected or the lock screen was displayed, between these "Session not authorized" logs.

  • Hey all, we've implemented some fixes that could solve some of the issues mentioned above, which are available on the latest stable and beta release.

    Let us know if that fixes your issues.

    @TMoneyAllDey For the Windows issue with RSA, do you see anything appear in the logs (%LOCALAPPDATA%/1Password/logs) when you run your SSH command? And you're saying it does work when you generate a new Ed25519 key using 1Password, but what happens if you generate a new RSA key using 1Password?

  • chatii
    chatii
    Community Member

    I am experiencing similar problems.

    • 1Password for Mac 8.6.0 80600081, on BETA channel
    • 1Password for Mac 8.7.0 80700002, on BETA channel

    Created Ed25519 key for GitHub in 1Password and set IdentityAgent in ~/.ssh/config.
    (There are no other settings in ~/.ssh/config).
    And ssh -T git@github.com succeeded.

    Next, a key was created with RSA (4096 bits) to connect to another host.
    ssh user@my-host and was prompted to unlock by Touch ID, but could not connect.
    When the -vT option was enabled, the following log was displayed.

    ...
    debug1: Will attempt key: GitHub SSH chatii ED25519 SHA256:{} agent
    debug1: Will attempt key: insprout ProxyServer chatii SSH Key RSA SHA256:{} agent
    ...
    debug1: Authentications that can continue: publickey
    debug1: Offering public key: my host RSA SHA256:{} agent
    debug1: Server accepts key: my host RSA SHA256:{} agent
    sign_and_send_pubkey: signing failed for RSA "my host SSH Key" from agent: agent refused operation
    ...
    debug1: No more authentication methods to try.
    user@myhost: Permission denied (publickey).
    

    To find out where the problem lies, copy the private key generated by 1Password to ~/.ssh/my-host and try ssh -i ~/.ssh/my-host user@myhost - this method works.

    I have also tried disabling and enabling the SSH agent in 1Password and upgrading (8.6.0 => 8.7.0), but this does not fix the problem.

  • K.J._1P
    edited March 2022

    @chatii A possible cause is the client/server is attempting key exchange with ssh-rsa (RSA with SHA1) which is not supported. 1Password currently only supports rsa-sha2-512 and rsa-sha2-256 for RSA keys. A quick way to test is with the following command:

    # Github supports rsa-sha2 and it takes precedence over ssh-rsa
    ssh -vvT git@github.com ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
    debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    
    # Azure DevOps only supports ssh-rsa
    ssh -vvT git@ssh.dev.azure.com ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
    debug2: host key algorithms: ssh-rsa
    

    If rsa-sha2 is supported, but has lower preference than ssh-rsa, PubkeyAcceptedKeyTypes in ~/.ssh/config can be used to remove it from the proposed lois

  • chatii
    chatii
    Community Member

    @K.J._1P oh I see, I understand..!

    I really like 1Password's policy of not supporting unsecured key formats.
    I was able to learn more about SSH because of the specific suggestions made. Thank you!

    I tried

    ❯ cat ~/.ssh/config
    
    Host target-onpremise-host
        HostName AAA.BBB.CCC.DDD
        Port 8022
        User chatii
        IdentityFile "~/.ssh/target-onpremise-host"
    
    ❯ ssh -vvT target-onpremise-host ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
    debug2: host key algorithms: ssh-rsa,ssh-dss
    
  • chatii
    chatii
    Community Member

    @K.J._1P oh I see, I understand..!

    I really like 1Password's policy of not supporting unsecured key formats.
    I was able to learn more about SSH because of the specific suggestions made. Thank you!

    I tried

    ❯ cat ~/.ssh/config
    
    Host target-onpremise-host
        HostName AAA.BBB.CCC.DDD
        Port 8022
        User chatii
        IdentityFile "~/.ssh/target-onpremise-host"
    
    ❯ ssh -vvT target-onpremise-host ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
    debug2: host key algorithms: ssh-rsa,ssh-dss
    
  • ascarter
    ascarter
    Community Member

    I am not seeing this issue for the offered key types. Instead I saw this is in my log using the GitHub test:

    ssh -T git@github.com
    
    WARN  2022-04-11T19:43:23.382 ThreadId(1) [1P:foundation\op-windows\src\windows\window.rs:222] failed to bring window to the foreground
    INFO  2022-04-11T19:43:28.355 op_executor:invocation_loop(ThreadId(12)) [1P:op-app\src\app\backend\frontend.rs:24] Front end event: window closed
    WARN  2022-04-11T19:43:43.148 ThreadId(1) [1P:foundation\op-windows\src\windows\window.rs:222] failed to bring window to the foreground
    
    

    I quit 1Password and re-launched it. Now I'm getting the pop up authorization window. So something caused the auth window to not show up. This was after a reboot and I have 1P set to startup automatically.

This discussion has been closed.