Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Support for SSH Certificates (2024)
This question came up a couple of times in 2022, but it didn't look like anything was resolved. Since it's been two years... For those unfamiliar with the concept, SSH certificates are host and user public keys, signed by your own internal SSH CA, that ease key approval and distribution, especially in large-scale environments. Once a user has created a public-private key-pair, the public key is signed by an (internal) SSH CA. The user then uses ssh-add to add the public key and, if present, the certificate file to the user's ssh agent. Here is a reasonably good writeup of how SSH certificates work. Using stock ssh-add and ssh-agent on Mac OS 14, we can see the public key and certificate both being added to the agent: $ /usr/bin/ssh-add .ssh/id_ed25519 Enter passphrase for .ssh/id_ed25519: Identity added: .ssh/id_ed25519 (<REDACTED>) Certificate added: .ssh/id_ed25519-cert.pub (chris) A remote host, when properly configured, will verify that my user certificate has not expired (expiration and inception times) and was issued by a trusted CA, whose key would have already been added to the server. This eliminates the need for me to maintain an authorized_keys file on the remote end. I was hoping to be able to store these keys in 1Password. That certainly works; however, 1Password does not support certificates in neither the user interface nor the ssh agent. 1Password derives public keys from private keys but does not provide a way for the user to upload the certificate file, above and beyond attaching an arbitrary file. The ssh agent behind the scenes presumably also does not support certificates. For the moment, I have configured my ssh client to use the stock ssh-agent for the host that uses certificates, while everything else can go through 1Password. Are there any plans to add support to the 1Password user interface and to the underlying ssh agent for certificates? Thanks! 1Password Version: 8.10 Extension Version: Not Provided OS Version: macOS 14.2.1 Browser: Not Provided
op-ssh-sign is very slow
First of all, the SSH Agent is very nice! Thanks for this awesome feature. Just wondering, the op-ssh-sign feels very slow and sluggish to me. Especially when i'm using it for commit signing operations. i don't know if op-ssh-sign is the issue or if it's the ssh-agent. Signing a commit may take several seconds. 1Password Version: 8.10.16 Extension Version: Not Provided OS Version: Arch Linux Browser: Not Provided
1Password fails to prompt for approval when using Hyprland
I am using Hyprland, a dynamic Wayland compositor. When I execute git commit -m "chore: initial commit :tada:" I do not see a prompt. The behavior repeats for regular ssh commands as well. I did some searching but could not find anything specific about this issue anywhere else, so I am posting here. I guess this has something to do with Hyprland being incorrectly identified as Sway somehow. My debug logs show the following: DEBUG 2025-01-23T15:43:15.270+00:00 runtime-worker(ThreadId(16)) [1P:ssh/op-ssh-agent/src/lib.rs:261] connection received DEBUG 2025-01-23T15:43:15.271+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#266(get_all_ssh_pubkeys)) DEBUG 2025-01-23T15:43:15.271+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#267(get_ssh_pubkey)) DEBUG 2025-01-23T15:43:15.271+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#268(save_ssh_pubkey)) DEBUG 2025-01-23T15:43:15.285+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#269(get_ssh_pubkey)) DEBUG 2025-01-23T15:43:15.285+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#270(save_ssh_pubkey)) DEBUG 2025-01-23T15:43:15.290+00:00 runtime-worker(ThreadId(3)) [1P:ssh/op-ssh-agent/src/lib.rs:541] Handling SSH agent message: RequestIdentities DEBUG 2025-01-23T15:43:15.291+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#271(get_all_ssh_pubkeys)) DEBUG 2025-01-23T15:43:15.291+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#272(get_all_ssh_pubkeys)) DEBUG 2025-01-23T15:43:15.291+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#273(get_ssh_pubkey)) DEBUG 2025-01-23T15:43:15.291+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#274(save_ssh_pubkey)) DEBUG 2025-01-23T15:43:15.296+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#275(get_ssh_pubkey)) DEBUG 2025-01-23T15:43:15.296+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#276(save_ssh_pubkey)) DEBUG 2025-01-23T15:43:15.301+00:00 runtime-worker(ThreadId(16)) [1P:ssh/op-ssh-agent/src/lib.rs:541] Handling SSH agent message: SignRequest DEBUG 2025-01-23T15:43:15.302+00:00 runtime-worker(ThreadId(16)) [1P:foundation/op-linux-window/src/linux.rs:40] failed to connect to swaywm DEBUG 2025-01-23T15:43:15.303+00:00 runtime-worker(ThreadId(16)) [1P:ssh/op-ssh-agent/src/lib.rs:570] process info for client: SessionProcess { pid: 26152, tty_pid: Some(26153), executable_path: /usr/bin/foot, command_line: <Vec < String >>, application_name: <Option < String >>, application_icon: <Option < PathBuf >>, bundle_id: <Option < String >>, freedesktop_file: None } DEBUG 2025-01-23T15:43:15.303+00:00 ThreadId(22) [1P:data/op-db/src/core_db/transaction.rs:66] COMMIT(tx#277(get_all_ssh_pubkeys)) DEBUG 2025-01-23T15:43:15.426+00:00 runtime-worker(ThreadId(16)) [1P:app/op-app/src/app/backend.rs:360] Invoked: Config DEBUG 2025-01-23T15:43:15.431+00:00 ThreadId(22) [1P:data/op-db/src/resources_db/transaction.rs:32] COMMIT(tx#114(resource)) INFO 2025-01-23T15:44:15.272+00:00 runtime-worker(ThreadId(10)) [1P:ssh/op-ssh-agent/src/lib.rs:380] ssh authorization prompt timed out DEBUG 2025-01-23T15:44:15.272+00:00 runtime-worker(ThreadId(10)) [1P:ssh/op-ssh-agent/src/lib.rs:895] Cannot broadcast authorization prompt result; channel closed 1Password gets the request but fails to open the approval window due to the fact that it is trying to connect to swaywm . FYI: I can connect to the 1Password SSH agent from the terminal, already verified that by looking at a few other community threads. Is there anything I can do to help further debug or fix this issue? Not sure if this code is open so I can do a PR, but I would be more than happy to do so. Any help appreciated! Thank you. 1Password Version: 8.10.54 Extension Version: 8.10.56.28 OS Version: Arch Linux 6.12.10-arch1-1 Browser: Not Provided
ssh agent errors on older Cisco devices
It looks like there is an issue with the SSH agent when connecting to equipment using ssh-rsa for the host keys. Using ssh-rsa auth keys works fine, I am able to use the same key to connect to Ubuntu machines and other newer equipment. This is the error I get when connecting to a Cisco switch running IOS 15.2(7)E5: debug1: Offering public key: /Users/user/.ssh/id_rsa RSA SHA256:hash agent debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: /Users/user/.ssh/id_rsa RSA SHA256:hash agent debug3: sign_and_send_pubkey: using publickey with RSA SHA256:hash debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:hash sign_and_send_pubkey: signing failed for RSA "/Users/user/.ssh/id_rsa" from agent: agent refused operation This is what the 1Password log shows: WARN 2024-12-03T21:51:12.504+00:00 runtime-worker(ThreadId(8)) [1P:ssh/op-ssh-keys/src/private_key.rs:196] signing with ssh-rsa; SHA-1 may be insecure ERROR 2024-12-03T21:51:12.504+00:00 runtime-worker(ThreadId(8)) [1P:/Users/build/4kwQZK_M/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:665] Error handling sign request: UnsupportedOperation ERROR 2024-12-03T21:58:15.937+00:00 runtime-worker(ThreadId(2)) [1P:/Users/build/4kwQZK_M/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:665] Error handling sign request: UnsupportedOperation These are required configs to connect to these switches in the ssh config file: HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa Is there a way to connect to these older devices with the 1Password agent? For now I am using the -i flag and supplying my original key file as a workaround. I'm really trying to get rid of these key files on my machine now. 1Password Version: 8.10.54 Extension Version: Not Provided OS Version: macOS 15.1.1 Browser: Not Provided
Can't export SSH private key with empty passphrase in Android
I'm using the 1Password Android app version 8.10.54 When exporting an SSH private key, a dialog appears asking the me to enter a passphrase to encrypt the exported key. In the dialog, it states that if you leave the passphrase empty, the exported key will be in plain text. However, when I click the "Copy Private Key Without Encryption" button below, the input box turns red and nothing else happens. It seems like the input box is incorrectly set to require an entry. In the Mac version of 1Password, the "Copy Private Key Unencrypted" button works perfectly, so I believe it's a bug in the Android version. 1Password Version: 8.10.54 Extension Version: Not Provided OS Version: Android 14 One UI 6.1.1 Browser: Not Provided
SSH Agent not working after 8.10.54 update
After updating from 8.10.52 to 8.10.54 SSH Agent is no longer working as expected, and issue persists in the 8.10.56 beta update When attempting to SSH into a server, prompt appears and request is approved, but SSH client gets an error from the agent sign_and_send_pubkey: signing failed for RSA "SSH Key" from agent: agent refused operation Have also attempted enabling/disabling ssh agent, reinstalling 1Password etc Issue also occurs for other users in my business account 1Password Version: 8.5.52 Extension Version: Not Provided OS Version: Mac 15.1 Browser: Not Provided
[wayland] signign failed: communication with agent failed
similar to what has been reported in https://1password.community/discussion/comment/630417 ssh -T git@github.zattoo.com sign_and_send_pubkey: signing failed for ED25519 "id_ed25519" from agent: communication with agent failed git@github.zattoo.com: Permission denied (publickey). This is what I see in $HOME/.config/1Password/logs/1Password_rCURRENT.log INFO 2024-09-10T08:34:31.842+00:00 tokio-runtime-worker(ThreadId(121)) [1P:foundation/op-system-auth/src/lib.rs:327] Biometry is available for 1 or more accounts INFO 2024-09-10T08:35:31.795+00:00 tokio-runtime-worker(ThreadId(7)) [1P:ssh/op-ssh-agent/src/lib.rs:366] ssh authorization prompt timed out openssh version: 9.8p1-1 1Password Version: 8.10.44-34 Extension Version: 8.10.44.34 OS Version: archlinux Browser: Brave
Prompt for authorization each time when ssh agent ask for key even unlocked
Currently, if we unlock the 1password for one time, then the ssh-agent will automatically allow all subsequent private access. If we have the choice to prompt for authorization each time (not limited to the choices in the figure), then we can safely forward our agent to the remote server as when others try to ask for the private key, we need to authorize manually. 1Password Version: 8.10.36 (81036049) Extension Version: Not Provided OS Version: macOS 14.6 Browser: Not Provided
