SSH - 'Agent Refused Operation'

mattcooper
mattcooper
Community Member

I was able to enable the ssh agent in the 1 password app.

I now have a problem with accessing an EC2 instance using a private key stored in my private vault.

Steps:

  1. Update ~/.ssh/config with a host i.e.

Host random-host
HostName random-host.com
User ec2-user
IdentityAgent "~/Library/Group Containers/2BUA8GG42C.com.1password/t/agent.sock"

  1. Try to ssh to random-host

1password app prompts to 'Allow Access'

  1. This results in:

sign_and_send_pubkey: signing failed for RSA "random-host" from agent: agent refused operation ec2-user@random-host.com: Permission denied (publickey)

  1. When I list all of the keys available to the agent:

ssh-add -l

The agent has no identities.

Can you help? Not sure which steps I have missed?

Also, I have tried to contact support via email and the response is poor at best. The one response I did get had a link to a support ticket. When I try to view it I'm prompted for my 1pwd credentials. Try to login and it fails. Not sure if I need another 1pwd account to access your support platform? Frustrating.

Thanks, Matt


1Password Version: 8.6.0 BETA
Extension Version: Not Provided
OS Version: macOS 12.0.1

«1

Comments

  • jamie_shaw
    jamie_shaw
    Community Member

    I'm seeing this too when attempting to access Azure DevOps (ssh.dev.azure.com).

    With a very stripped back SSH config for debugging, I cannot seem to trace the cause. Even with a brand new key, same error.

    debug1: Host 'ssh.dev.azure.com' is known and matches the RSA host key.
    debug1: Found key in /Users/jamie/.ssh/known_hosts:4
    debug1: rekey out after 4294967296 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: rekey in after 4294967296 blocks
    debug1: Will attempt key: /Users/jamie/.ssh/azure_devops.pub RSA SHA256: explicit agent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: password,publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key: /Users/jamie/.ssh/azure_devops.pub RSA SHA256: explicit agent
    debug1: Server accepts key: /Users/jamie/.ssh/azure_devops.pub RSA SHA256: explicit agent
    sign_and_send_pubkey: signing failed for RSA "/Users/jamie/.ssh/azure_devops.pub" from agent: agent refused operation

    Also noticed that keys not secured in the "Private" vault are not provided by the agent, is that a bug or by design?

  • Do you see anything appear in the logs when you invoke the SSH command? On macOS: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

    It could be that the EC2 instance only supports SHA1 signatures for RSA keys. This is something that the SSH agent doesn't support at the moment. If that's the case, you can consider switching to Ed25519 keys, or upgrading OpenSSH on your server so that it supports more modern algorithms.

    For Azure DevOps, that's not an option unfortunately. So be on the lookout for updates! (Either from our side or from Azure's side)

    @jamie_shaw About the Private vault requirement, see this thread.

  • mattcooper
    mattcooper
    Community Member

    I see the following error:

    ERROR 2022-03-21T16:51:32.966 tokio-runtime-worker(ThreadId(3)) [1P:/Users/builder/builds/BhfSvM9x/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:377] Error handling sign request: Key(signing with ssh-rsa is unsupported; SHA-1 may be insecure)

    To be fair I tested with a legacy EC2 instance so I'll try out a few more recent EC2's.

  • mattcooper
    mattcooper
    Community Member

    OK I tested out with some relatively new Amazon Linux EC2's and it works well.

    @floris_1P are you likely to include supporting old ciphers in the 1password SSH agent? To update SSH on all of our older/legacy instances would be a considerable amount of work. Long term we will be of course sunsetting/upgrading/replacing instances for security purposes but short term we can't commit to using the 1password agent without 'old' cipher support.

  • Yes, for that exact reason we have plans to also support ssh-rsa in the near future.

  • XIII
    XIII
    Community Member

    we have plans to also support ssh-rsa in the near future

    Nice! Then I can start using the 1Password SSH agent for all my keys (currently can't for 1 Azure DevOps key at work).

  • dacodev
    dacodev
    Community Member

    Can a disclaimer/troubleshooting info or section be added to the SSH Agent page? https://developer.1password.com/docs/ssh/agent/

    I spent a few hours trying to figure out why I wasn't able to auth to a host using an RSA key. It's not explicitly stated that the agent wont work with RSA keys, and on the key management page, RSA is shown as a supported key type for import/storage, which sort of implies that you can use RSA keys with the agent, since they can be stored by 1Pass properly

  • billwu
    billwu
    Community Member

    I agree with dacodev. Please add a disclaimer. I'm scratching my hair off this morning until I found this post.

  • ark0n3
    ark0n3
    Community Member

    Waiting for ssh-rsa support to go full-in with 1password SSH keys!

  • regis13
    regis13
    Community Member
    edited May 2022

    @floris_1P Could you advise please, if there is at least an approximate ETA set for ssh-rsa keysig algorithm support?
    As I have to manage a bunch of legacy servers, the lack of this algo is really a showstopper for using this great 1Passowrd's feature.

  • @regis13 I can't make any promises on timelines, but for this feature we're looking more at a range of weeks than of months.

  • exsesx
    exsesx
    Community Member

    @floris_1P, what are you suggesting to do for now? Disable SSH agent?

  • ark0n3
    ark0n3
    Community Member

    If useful, here's my .ssh/config

    • disabling 1Password SSH agent just for specific hosts
    • enabling only ed25519 SSH keys for 1Password-enabled hosts

    # use 1password SSH agent
    Host * !disabledhosts* !disabledhost2
    IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
    HostKeyAlgorithms ssh-ed25519

  • @exsesx You can run this command to see which algorithms your server supports:

    ssh -vv <your user>@<your host> ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
    

    For example, in the case of GitHub:

    $ ssh -vv git@github.com ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
    debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    

    If your server supports ssh-ed25519, you could consider switching to an Ed25519 key. If it supports rsa-sha2-512 or rsa-sha2-256, you could try adding this to your SSH config and keep on using your RSA key:

    Host your-host
      HostKeyAlgorithms -ssh-rsa
    
  • tybritten
    tybritten
    Community Member

    I checked my circle host and it supports a bunch (debug2: host key algorithms: ssh-ed25519,rsa-sha2-512,rsa-sha2-256,rsa-sha2-256,rsa-sha2-512,ssh-rsa) but setting the HostKeyAlgorithm still isn't working. I've tried both -ssh-rsa and actually setting one (rsa-sha2-512) and it still keeps trying to user ssh-rasa

  • @tybritten What happens if you try PubkeyAcceptedKeyTypes as well?

    Host your-host
      HostKeyAlgorithms -ssh-rsa
      PubkeyAcceptedKeyTypes -ssh-rsa
    
  • tybritten
    tybritten
    Community Member

    weird, now I'm getting
    debug1: send_pubkey_test: no mutual signature algorithm

  • gussic
    gussic
    Community Member

    @floris_1P are you supporting older ciphers, such as ssh-rsa now? just tried with a unifi device I have and still get the "agent refused operation" error...

  • muc81
    muc81
    Community Member
    edited May 2022

    @floris_1P same issue here, every system works fine except the UniFi Dream Machine Pro @gussic

    Left a request to UniFi to get the dropper version updated from 2018.76 to something more current.

  • sidesaddle
    sidesaddle
    Community Member

    Subscribing

    +1 for ssh-rsa support

  • ark0n3
    ark0n3
    Community Member

    Any hint on how to avoid having to fingerprint for each SSH access? If I log-in 3 times to host X, I need to fingerprint 3 times.. I know, first-world problem, but need to ask since went full-in with 1password ssh agent!

  • @ark0n3 What platform are you on and what client are you using? The expected behavior would be 1 prompt per app or terminal window, per key.

  • ark0n3
    ark0n3
    Community Member

    I'm on OSX (latest version), using iTerm2. If I SSH to a given host in iTerm2 tab A, I'm asked for fingerprint again when SSH in iTerm tab B.

  • gussic
    gussic
    Community Member

    @floris_1P Hi there, any update re my post from May 22?

  • @ark0n3 That is the expected behavior. However, we are considering making this behavior configurable in the future.

  • @gussic Older key types and host key algorithms are not supported yet, but we might add support for them in the future.

  • ark0n3
    ark0n3
    Community Member

    thanks @Marton.Soos_1P , since it's really an hassle as of right now..

  • biniblublu
    biniblublu
    Community Member

    @Marton.Soos_1P Thank you for the various explanations above. Much appreciated. I understand that ssh-rsa keys are currently not supported by the 1password agent. Yet, when interacting with github, my ssh-rsa key appears to be supported. Is this the current state?

  • @biniblublu ssh-rsa keys are supported by the 1Password agent if they are used for ssh-rsa2 signing, they do not work for ssh-rsa signing. Depending on the Host Key Algorithm used by the service you're connecting to, using your ssh-rsa key may or may not work.

    Have you run into any services for which your ssh-rsa keys don't work when using the 1Password SSH Agent? If so please let us know which services so that we can investigate the issue.

  • XIII
    XIII
    Community Member

    Azure DevOps (previously called Teams Foundation Server) is definitely one (which only supports ssh-rsa signing).

This discussion has been closed.