No fingerprint prompt when SSHing

sososo
sososo
Community Member
edited July 2022 in SSH

Hi,
I've gone over the doc multiple times but can't seem to get it to work. I settled on a per key activation to avoid impacting my work. When I look in the logs I can see

INFO 2022-07-07T09:32:05.815 tokio-runtime-worker(ThreadId(12)) [1P:ssh/op-agent-controller/src/desktop.rs:332] SSH Agent has started.

but nothing shows in the logs when I ssh. I get no finger print prompt and thus

$ ssh linode jdoe@123.123.123.123: Permission denied (publickey,keyboard-interactive).

This is what I have in my .ssh/config

Host linode
User jdoe
Hostname 123.123.123.123
IdentitiesOnly yes
IdentityAgent "~/ecosta/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

If I do the following, I can see the ssh keys list stored in 1P

export SSH_AUTH_SOCK=~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock
ssh-add -l`

If I run an ssh to linode with or without exporting the SSH_AUTH_SOCK, I still get the same result. No prompt.

I just noted that if I save a change in .ssh/config I get the following log message
INFO 2022-07-07T10:21:38.998 notify-rs fsevents loop(ThreadId(23)) [1P:ssh/op-ssh-config/src/lib.rs:231] agent not configured

I tried importing a key or generating one but nothing seems to do it. Why am I not getting a prompt? Could you help me solve the problem?

Thanks.


1Password Version: 8.7.3
Extension Version: Not Provided
OS Version: macOS 12.4
Browser:_ Not Provided

Comments

  • Could you try changing the socket path in your ~/.ssh/config to:

    IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
    
  • sososo
    sososo
    Community Member
    edited July 2022

    Hi @floris_1P ,
    thanks for helping out. I fixed my typo (thanks for that) and did all the steps again in the following order

    1. Enable 1P SSH agent
    2. Log into Linode and generated an SSH Key
    3. tried to login via ssh without success. Same problem, no prompt.

    My Linode ssh config:

    Host linode
      User jdoe
      Hostname 123.123.123.123
      IdentitiesOnly yes
      IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
    

    I did not export SSH_AUTH_SOCK as I guess I don't needed if I use the agent.sock in the ssh config.

    I do however have the following settings which might affect things, what do you think? Disabling bellow doesn't seem to improve anything.

    Host *
      UseKeychain yes
      AddKeysToAgent yes
      TCPKeepAlive yes
      ServerAliveInterval 59
      ServerAliveCountMax 3
    

    I also do the following check which all seems ok

    $ ssh-add -l
    256 SHA256:PfY15ZT3nH123123EcR7UdPSrJ+rtufgqf5CMDYKXYw aws (ED25519)
    $ SSH_AUTH_SOCK=~/.1password/agent.sock ssh-add -l
    256 SHA256:hE2UmRsuU123123xDFNeshruftNhRCiHblPEOXhL4c Linode (ED25519)
    

    What am I missing?

  • Could you share your ssh -v output? And with the typo now fixed, do you see anything appear in the 1Password logs when you run the failing SSH command?

  • sososo
    sososo
    Community Member
    edited July 2022

    Hi @floris_1P ,

    Nothing showing up in the logs. This is my output:

    $ ssh -v linode
    OpenSSH_8.6p1, LibreSSL 3.3.6
    debug1: Reading configuration data /Users/jdoe/.ssh/config
    debug1: /Users/jdoe/.ssh/config line 1: Applying options for *
    debug1: /Users/jdoe/.ssh/config line 12: Applying options for linode
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
    debug1: /etc/ssh/ssh_config line 54: Applying options for *
    debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
    debug1: Connecting to 123.123.123.123 [123.123.123.123] port 22.
    debug1: Connection established.
    debug1: identity file /Users/jdoe/.ssh/id_rsa type -1
    debug1: identity file /Users/jdoe/.ssh/id_rsa-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_dsa type -1
    debug1: identity file /Users/jdoe/.ssh/id_dsa-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_ecdsa type -1
    debug1: identity file /Users/jdoe/.ssh/id_ecdsa-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_ecdsa_sk type -1
    debug1: identity file /Users/jdoe/.ssh/id_ecdsa_sk-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_ed25519 type -1
    debug1: identity file /Users/jdoe/.ssh/id_ed25519-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_ed25519_sk type -1
    debug1: identity file /Users/jdoe/.ssh/id_ed25519_sk-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_xmss type -1
    debug1: identity file /Users/jdoe/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.6
    debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
    debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
    debug1: Authenticating to 123.123.123.123:22 as 'jdoe'
    debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: ssh-ed25519
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: SSH2_MSG_KEX_ECDH_REPLY received
    debug1: Server host key: ssh-ed25519 SHA256:0WN3ivkenyByHO3n9/LAMTDMBF7ShbxxBbtk3CJCrY0
    debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
    debug1: checking without port identifier
    debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
    debug1: Host '123.123.123.123' is known and matches the ED25519 host key.
    debug1: Found key in /Users/jdoe/.ssh/known_hosts:445
    debug1: found matching key w/out port
    debug1: check_host_key: hostkey not known or explicitly trusted: disabling UpdateHostkeys
    debug1: rekey out after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: rekey in after 134217728 blocks
    debug1: Will attempt key: /Users/jdoe/.ssh/id_rsa
    debug1: Will attempt key: /Users/jdoe/.ssh/id_dsa
    debug1: Will attempt key: /Users/jdoe/.ssh/id_ecdsa
    debug1: Will attempt key: /Users/jdoe/.ssh/id_ecdsa_sk
    debug1: Will attempt key: /Users/jdoe/.ssh/id_ed25519
    debug1: Will attempt key: /Users/jdoe/.ssh/id_ed25519_sk
    debug1: Will attempt key: /Users/jdoe/.ssh/id_xmss
    debug1: SSH2_MSG_EXT_INFO received
    debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /Users/jdoe/.ssh/id_rsa
    debug1: Trying private key: /Users/jdoe/.ssh/id_dsa
    debug1: Trying private key: /Users/jdoe/.ssh/id_ecdsa
    debug1: Trying private key: /Users/jdoe/.ssh/id_ecdsa_sk
    debug1: Trying private key: /Users/jdoe/.ssh/id_ed25519
    debug1: Trying private key: /Users/jdoe/.ssh/id_ed25519_sk
    debug1: Trying private key: /Users/jdoe/.ssh/id_xmss
    debug1: Next authentication method: keyboard-interactive
    debug1: Authentications that can continue: publickey,keyboard-interactive
    debug1: No more authentication methods to try.
    jdoe@123.123.123.123: Permission denied (publickey,keyboard-interactive).
    
  • Ah I see, you've set IdentitiesOnly yes for linode, try removing that line.

  • sososo
    sososo
    Community Member

    Hi @floris_1P,
    I commented out IdentitiesOnly and ran the command again. Still no 1Password entries in 1Password.

    $ ssh linode -v
    OpenSSH_8.6p1, LibreSSL 3.3.6
    debug1: Reading configuration data /Users/jdoe/.ssh/config
    debug1: /Users/jdoe/.ssh/config line 1: Applying options for *
    debug1: /Users/jdoe/.ssh/config line 12: Applying options for linode
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
    debug1: /etc/ssh/ssh_config line 54: Applying options for *
    debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
    debug1: Connecting to 123.123.123.123 [123.123.123.123] port 22.
    debug1: Connection established.
    debug1: identity file /Users/jdoe/.ssh/id_rsa type -1
    debug1: identity file /Users/jdoe/.ssh/id_rsa-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_dsa type -1
    debug1: identity file /Users/jdoe/.ssh/id_dsa-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_ecdsa type -1
    debug1: identity file /Users/jdoe/.ssh/id_ecdsa-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_ecdsa_sk type -1
    debug1: identity file /Users/jdoe/.ssh/id_ecdsa_sk-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_ed25519 type -1
    debug1: identity file /Users/jdoe/.ssh/id_ed25519-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_ed25519_sk type -1
    debug1: identity file /Users/jdoe/.ssh/id_ed25519_sk-cert type -1
    debug1: identity file /Users/jdoe/.ssh/id_xmss type -1
    debug1: identity file /Users/jdoe/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.6
    debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
    debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
    debug1: Authenticating to 123.123.123.123:22 as 'jdoe'
    debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: ssh-ed25519
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: SSH2_MSG_KEX_ECDH_REPLY received
    debug1: Server host key: ssh-ed25519 SHA256:0WN3ivkenyByHO3n9/LAMTDMBF7ShbxxBbtk3CJCrY0
    debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
    debug1: checking without port identifier
    debug1: load_hostkeys: fopen /Users/jdoe/.ssh/known_hosts2: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
    debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
    debug1: Host '123.123.123.123' is known and matches the ED25519 host key.
    debug1: Found key in /Users/jdoe/.ssh/known_hosts:445
    debug1: found matching key w/out port
    debug1: check_host_key: hostkey not known or explicitly trusted: disabling UpdateHostkeys
    debug1: rekey out after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: rekey in after 134217728 blocks
    debug1: Will attempt key: Linode ED25519 SHA256:hE2UmRsuU5E12345DFNenxC4zILNhRCiHblPEOXhL4c agent
    debug1: Will attempt key: /Users/jdoe/.ssh/id_rsa
    debug1: Will attempt key: /Users/jdoe/.ssh/id_dsa
    debug1: Will attempt key: /Users/jdoe/.ssh/id_ecdsa
    debug1: Will attempt key: /Users/jdoe/.ssh/id_ecdsa_sk
    debug1: Will attempt key: /Users/jdoe/.ssh/id_ed25519
    debug1: Will attempt key: /Users/jdoe/.ssh/id_ed25519_sk
    debug1: Will attempt key: /Users/jdoe/.ssh/id_xmss
    debug1: SSH2_MSG_EXT_INFO received
    debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Offering public key: Linode ED25519 SHA256:hE2UmRsuU5E12345DFNenxC4zILNhRCiHblPEOXhL4c agent
    debug1: Authentications that can continue: publickey,keyboard-interactive
    debug1: Trying private key: /Users/jdoe/.ssh/id_rsa
    debug1: Trying private key: /Users/jdoe/.ssh/id_dsa
    debug1: Trying private key: /Users/jdoe/.ssh/id_ecdsa
    debug1: Trying private key: /Users/jdoe/.ssh/id_ecdsa_sk
    debug1: Trying private key: /Users/jdoe/.ssh/id_ed25519
    debug1: Trying private key: /Users/jdoe/.ssh/id_ed25519_sk
    debug1: Trying private key: /Users/jdoe/.ssh/id_xmss
    debug1: Next authentication method: keyboard-interactive
    debug1: Authentications that can continue: publickey,keyboard-interactive
    debug1: No more authentication methods to try.
    jdoe@123.123.123.123: Permission denied (publickey,keyboard-interactive).
    

    This seems better. I checked the fingerprint in 1Password and it is the correct key but still no prompt.

    debug1: Will attempt key: Linode ED25519 SHA256:hE2UmRsuU5E12345DFNenxC4zILNhRCiHblPEOXhL4c agent
    

    On the subject of IdentitiesOnly, I had to add it because I have so many keys in .ssh. If I put all my keys (20 or so keys) in 1Password, will I not run into the same problem (Too many authentication failures) and If I can't use IdentitiesOnly, should I even try? Love what you are doing for SSH though.

    I worked a bit more on it and added my NAS and RPI. I got them both working! I thought it might have something to do with the port on which SSH is listening but 1P also works when connecting to SSH on a port which is not 22. This is all very odd. I will continue trying to figure it out but the verdict for now is that it works on some ssh connections and not others.

  • floris_1P
    edited July 2022

    Great to hear you got it working with your NAS and Pi! For the Linode server: looking at the logs, the public key now does get properly offered to the server, but it seems like the server doesn't accept it. DigitalOcean has some nice tips on troubleshooting SSH in their docs, which might help you out.

    About IdentitiesOnly and the Too many authentication failures error, we have an article in our docs portal about that.

  • sososo
    sososo
    Community Member

    Hi @floris_1P, sorry for the late reply and thanks for the documentation. I'll implement the recommendations and read up on the DO doc. I'll get there, it's just a matter of finding the time to troubleshoot.

    Thanks for your help!

  • sososo
    sososo
    Community Member

    @floris_1P , I found the problem and it was embarrassingly stupid of me. I simply forgot to add the pub key to the server. I was sure I'd added it but it seems I only had the original one there.

    It all works great and I'm loving it. What a great feature!

    Thanks for all your help.

This discussion has been closed.