Skip to main content
April 9, 2022
Question

Bug: SSH agent cannot be used when connected via Remote Desktop

  • April 9, 2022
  • 14 replies
  • 845 views

I'm using the 1Password 8 Windows beta with the SSH agent enabled and configured with a couple SSH keys. When functioning normally, 1Password asks for a Windows Hello PIN to unlock my SSH keys, and everything works fine.

However, when connected to my PC via Microsoft Remote Desktop (with the official client on macOS, if that makes a difference), I cannot unlock my SSH key. 1Password asks for my master password, which I provide, but the SSH agent refuses the operation.

With git, for example:

```
sign_and_send_pubkey: signing failed: agent refused operation
sign_and_send_pubkey: signing failed: agent refused operation
mailto:git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
```


1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: Windows 11 build 21H2

14 replies

floris_1P
1Password Employee
April 12, 2022

Do you see anything appear in the 1Password logs when you run the failing SSH command? On Windows: %LOCALAPPDATA%/1Password/logs.

And when using RDP, does the regular 1Password unlock work with Windows Hello? Or is it only SSH that's failing?

April 16, 2022

Hi,

I believe these log lines are relevant:


ERROR 2022-04-16T21:27:33.605 op_executor:invocation_loop(ThreadId(22)) [1P:C:\builds\dev\core\core\op-ui\src\item_action\mod.rs:106] ItemWithIdNotFound(ItemId(743))
INFO 2022-04-16T21:27:34.149 tokio-runtime-worker(ThreadId(12)) [1P:op-app\src\app\backend\unlock.rs:241] System unlock was attempted but we cannot use it.
WARN 2022-04-16T21:27:34.155 tokio-runtime-worker(ThreadId(10)) [1P:op-app\src\app\backend\lock_screen.rs:71] Biometry is unavailable: BiometryUnavailable

And when using RDP, does the regular 1Password unlock work with Windows Hello? Or is it only SSH that's failing?

When using RDP, I cannot unlock 1Password with Windows Hello either, but it falls back to asking for my master password. When using SSH, there's no password fallback, just an error, which makes my keys unusable.

floris_1P
1Password Employee
April 19, 2022

Unfortunately there's nothing we can do about this at this very moment moment. However, we are working on an alternative prompt that doesn't require Windows Hello, which can also be used here.

April 19, 2022

Great, thank you!

I forgot to mention it but when using an SSH key on macOS, when Touch ID is unavailable (i.e. when the laptop lid is closed), 1Password properly prompts for the master password instead. These two flows seem like they should be identical.

floris_1P
1Password Employee
April 19, 2022

Correct, on macOS there is already a fallback in place (which will be improved as well with the work we're doing for Windows and Linux).

July 18, 2022

Is there an update on when the fallback will be implemented for Windows? Would that also remove the requirement for having Windows Hello enabled at all?

floris_1P
1Password Employee
July 18, 2022

@mxk I can't make any promises on timelines, but I can tell you that it's high on our list, with designs being finalized at the moment. And yes: that will fully remove the Hello requirement!

September 1, 2022

@floris_1P do we have a better timeline for this now? Just ran into this myself and will have to work around it by having private keys outside my vault for the time being.

floris_1P
1Password Employee
September 5, 2022

@enlightenedluke No updates on the timeline, but we have reached the implementation phase. We'll eventually do an early access with our Slack workspace, which you can join here if you're interested.

January 30, 2023

@enlightenedluke Is there any news regarding this issue?