Git and Azure DevOPS: agent refused operation

[Deleted User]
[Deleted User]
Community Member
edited May 2022 in SSH

I struggle getting my GIT repositories in Azure working with 1Password keeping my SSH keys. Beside that Azure does not support Ed25519 keys (sigh), so I had to create a RSA key for it, authentication with it fails as soon as I activate the two lines for "Host *" and "IdentityAgent" pointing to the 1Password socket:
--- 8< ---
sign_and_send_pubkey: signing failed for RSA "/Users/myuser/.ssh/id_rsa_azure.pub" from agent: agent refused operation
--- 8< ---
(it also fails without setting IdentityFile and IdentitiesOnly btw.)

Exporting the key and using old fashioned file based key authentication works though.

Working with other GIT servers works, so I think this is a "Azure-Thing".


1Password Version: 8.7.0 (80700012)
Extension Version: Not Provided
OS Version: 12.2.1 (21D62)

Comments

  • Yes, this is because Azure DevOps only supports legacy ssh-rsa SHA-1 signatures. We're working on adding support for those as well.

  • billwu
    billwu
    Community Member

    Hi,

    I think i've created a ssh-rsa key for azure devops now, however i'm getting the same error. Is this issue fixed yet?

  • [Deleted User]
    [Deleted User]
    Community Member

    AFAIK there is no support for Azure DevOPS (or the other way around: Azure DevOPS doesn't support the better algorithms) yet. My workaround: I added the following to my .ssh/config file:

    Host ssh.dev.azure.com
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
    IdentityAgent /private/tmp/com.apple.launchd.znyst9AFDG/Listeners

  • zigford
    zigford
    Community Member

    Anyone know what the workaround would be on Linux?
    I have the identity file in ~/.ssh, but it seems no matter what I do, the 1password SSH agent is taking over.

    SSH_AUTH_SOCK="" git fetch
    sign_and_send_pubkey: signing failed for RSA "/home/user/.ssh/id_rsa" from agent: agent refused operation

  • zigford
    zigford
    Community Member

    I figured out I can just define this ssh config above the Host * IdentityAgent in ~/.ssh/config to workaround

  • Glad you found a solution, @zigford. And thanks for sharing it!

  • zigford
    zigford
    Community Member

    Update. Don't know why, but my workaround stopped working.
    New workaround that is working currently:

    Define the following above the IdentityAgent definition, so the ~/.ssh/config should look like this:

    Host ssh.dev.azure.com
        HostName ssh.dev.azure.com
        User git
        IdentityFile ~/.ssh/id_rsa
        PubkeyAcceptedAlgorithms +ssh-rsa
        HostkeyAlgorithms +ssh-rsa
        IdentitiesOnly yes
        IdentityAgent /dev/null
    Host *
        IdentityAgent ~/.1password/agent.sock
        AddKeysToAgent yes
    
  • Hi @zigford!

    As of the latest nightly release, 1Password supports ssh-rsa (SHA-1). So if you update to the latest nightly you can also store your Azure DevOPS SSH key in 1Password.

  • XIII
    XIII
    Community Member

    Excellent news. Thank you!

  • zigford
    zigford
    Community Member

    Thanks @MartonS1P, can you point me in the direction of the nightly releases? I've googled around and cannot find it. I'm on Linux.

  • Hi @zigford,

    You can follow the instructions outlined here: https://support.1password.com/install-linux/#debian-or-ubuntu and replace "stable" with "edge" when adding the 1Password apt repository.

    Let me know if you have other questions or run into any other issues!

  • zigford
    zigford
    Community Member

    Nice. I have installed the latest beta which has this feature.
    It is working, but I had to download the public key and set it up like this:

    Host *
        IdentityAgent ~/.1password/agent.sock
        AddKeysToAgent yes
    Host ssh.dev.azure.com
        HostName ssh.dev.azure.com
        User git
        PubkeyAcceptedAlgorithms ssh-rsa
        HostkeyAlgorithms ssh-rsa
        IdentityFile ~/.ssh/harrisj@19wbpf2-gentoo.pub
        IdentitiesOnly yes
    
This discussion has been closed.