Skip to main content
March 25, 2022
Question

Git and Azure DevOPS: agent refused operation

  • March 25, 2022
  • 12 replies
  • 1215 views

I struggle getting my GIT repositories in Azure working with 1Password keeping my SSH keys. Beside that Azure does not support Ed25519 keys (sigh), so I had to create a RSA key for it, authentication with it fails as soon as I activate the two lines for "Host *" and "IdentityAgent" pointing to the 1Password socket:
--- 8< ---
sign_and_send_pubkey: signing failed for RSA "/Users/myuser/.ssh/id_rsa_azure.pub" from agent: agent refused operation
--- 8< ---
(it also fails without setting IdentityFile and IdentitiesOnly btw.)

Exporting the key and using old fashioned file based key authentication works though.

Working with other GIT servers works, so I think this is a "Azure-Thing".


1Password Version: 8.7.0 (80700012)
Extension Version: Not Provided
OS Version: 12.2.1 (21D62)

12 replies

floris_1P
1Password Employee
March 30, 2022

Yes, this is because Azure DevOps only supports legacy ssh-rsa SHA-1 signatures. We're working on adding support for those as well.

May 13, 2022

Hi,

I think i've created a ssh-rsa key for azure devops now, however i'm getting the same error. Is this issue fixed yet?

May 14, 2022

AFAIK there is no support for Azure DevOPS (or the other way around: Azure DevOPS doesn't support the better algorithms) yet. My workaround: I added the following to my .ssh/config file:

Host ssh.dev.azure.com
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
IdentityAgent /private/tmp/com.apple.launchd.znyst9AFDG/Listeners

August 8, 2022

Anyone know what the workaround would be on Linux?
I have the identity file in ~/.ssh, but it seems no matter what I do, the 1password SSH agent is taking over.

SSH_AUTH_SOCK="" git fetch
sign_and_send_pubkey: signing failed for RSA "/home/user/.ssh/id_rsa" from agent: agent refused operation

August 8, 2022

I figured out I can just define this ssh config above the Host * IdentityAgent in ~/.ssh/config to workaround

August 9, 2022

Glad you found a solution, @zigford. And thanks for sharing it!

August 9, 2022

Update. Don't know why, but my workaround stopped working.
New workaround that is working currently:

Define the following above the IdentityAgent definition, so the ~/.ssh/config should look like this:

Host ssh.dev.azure.com
HostName ssh.dev.azure.com
User git
IdentityFile ~/.ssh/id_rsa
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
IdentitiesOnly yes
IdentityAgent /dev/null
Host *
IdentityAgent ~/.1password/agent.sock
AddKeysToAgent yes

August 10, 2022

Hi @zigford!

As of the latest nightly release, 1Password supports ssh-rsa (SHA-1). So if you update to the latest nightly you can also store your Azure DevOPS SSH key in 1Password.

XIII
August 10, 2022

Excellent news. Thank you!

August 10, 2022

Thanks @MartonS1P, can you point me in the direction of the nightly releases? I've googled around and cannot find it. I'm on Linux.