Skip to main content
February 16, 2022
Question

Just tried to configure 1Password SSH and am having trouble (Windows 11)

  • February 16, 2022
  • 21 replies
  • 13628 views

Hi, I get an error when I try the test recommended in the set up document. When I run ssh -T git@github.com, I get

sign_and_send_pubkey: signing failed: agent refused operation
git@github.com: Permission denied (publickey).

I'm using an existing RSA pem key I've used for github for many years. I imported it into 1Password and the fingerprint in github and in 1password match exactly. I installed the beta 8 version, I disabled openSSH service on my windows 11 machine, and I enabled the 1password SSH service in settings. I also turned on Windows Hello and set a pin. After all this, I restarted 1password.

If I run ssh-add -l, I see the single fingerprint I have imported into 1password.

If I go into 1password and disable the ssh service, I get

Error connecting to agent: No such file or directory

when running ssh-add -l so 1password SSH service is certainly being used

I just tried this command and found more info. ssh -vT git@github.com

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:xxx agent
debug1: Server accepts key: RSA SHA256:xxx agent
sign_and_send_pubkey: signing failed: agent refused operation


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Windows 11

21 replies

February 16, 2022

Hi, I'm experiencing the same exact issue, I'm on Arch Linux on the latest desktop beta version.
However, ssh-add -l gives me


Error connecting to agent: No such file or directory

Of course, I enabled the SSH service in the settings as well.

February 16, 2022

@SV337, did you enable the service in the 1Password desktop app?

February 16, 2022

Further edits, if I generate a new SSH key and set up github, it works. My old password-protected PEM key is the one that fails. Very strange.

February 16, 2022

@TMoneyAllDey yes I enabled everything. That's weird because I also tried to generate a new SSH key and link it to Github but it didn't work. Did you use an RSA or Ed25519 key type ?

February 16, 2022

@SV337 , I used the new Ed25519 since my old keys are all RSA.

February 16, 2022

Your error reads like the 1password ssh service is failing to load. Can you try this command ssh -vT git@github.com?

February 16, 2022

Sure, I get more or less the same thing as you did:


debug1: Will attempt key: ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
debug1: Will attempt key: ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
debug1: Will attempt key: ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
debug1: Will attempt key: ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
[...]
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
debug1: Server accepts key: ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
debug1: Offering public key: ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
debug1: Server accepts key: ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
[...]
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

I have 4 keys setup on 1password at the moment, so I'm guessing it's able to retrieve these from the agent correctly.

February 16, 2022

@TMoneyAllDey Sure, I get more or less the same thing as you did:


debug1: Will attempt key: ED25519 SHA256:<sha256sum> agent
debug1: Will attempt key: ED25519 SHA256:<sha256sum> agent
debug1: Will attempt key: ED25519 SHA256:<sha256sum> agent
debug1: Will attempt key: ED25519 SHA256:<sha256sum> agent
[...]
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ED25519 SHA256:<sha256sum> agent
debug1: Server accepts key: ED25519 SHA256:<sha256sum> agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
debug1: Offering public key: ED25519 SHA256:<sha256sum> agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: ED25519 SHA256:<sha256sum> agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: ED25519 SHA256: agent
debug1: Server accepts key: ED25519 SHA256:<sha256sum> agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
[...]
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

I have 4 SSH keys on my 1Password vault at the moment, so it looks like it is able to retrieve these from the agent correctly.

February 16, 2022

Yeah, it looks like it is picking them up. We might have to wait until a 1password tech gets here.

February 16, 2022

Interesting, I'm pretty much at the same place.

I've added a few of my keys to my vault, and ssh-add -l lists them all. When testing it with git@github.com, my systems behavior is pretty much the same as OP.


❯ ssh -vT git@github.com
OpenSSH_8.8p1, OpenSSL 1.1.1m 14 Dec 2021
debug1: Reading configuration data /home/ndo/.ssh/config
debug1: /home/ndo/.ssh/config line 11: Applying options for github.com
debug1: /home/ndo/.ssh/config line 541: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to github.com [140.82.121.4] port 22.
debug1: Connection established.
debug1: identity file /home/ndo/.ssh/id_ndo4.pub type 0
debug1: identity file /home/ndo/.ssh/id_ndo4.pub-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version babeld-e1420b26
debug1: compat_banner: no match: babeld-e1420b26
debug1: Authenticating to github.com:22 as 'git'
debug1: load_hostkeys: fopen /home/ndo/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-rsa SHA256:abc123
debug1: load_hostkeys: fopen /home/ndo/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'github.com' is known and matches the RSA host key.
debug1: Found key in /home/ndo/.ssh/known_hosts:41
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/ndo/.ssh/id_ndo4.pub RSA SHA256:abc123 explicit agent
debug1: Will attempt key: RSA SHA256:abc123 agent
debug1: Will attempt key: ED25519 SHA256:abc123 agent
debug1: Will attempt key: RSA SHA256:abc123 agent
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/ndo/.ssh/id_ndo4.pub RSA SHA256:abc123 explicit agent <-- this is the correct public key that should work imo
debug1: Server accepts key: /home/ndo/.ssh/id_ndo4.pub RSA SHA256:abc123 explicit agent
sign_and_send_pubkey: signing failed for RSA "/home/ndo/.ssh/id_ndo4.pub" from agent: agent refused operation
debug1: Offering public key: RSA SHA256:abc123 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: ED25519 SHA256:abc123 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: RSA SHA256:abc123 agent
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).
~
❯ ssh-add -l
2048 SHA256:abc123 (RSA)
4096 SHA256:abc123 (RSA)
256 SHA256:abc123 (ED25519)
2048 SHA256:abc123 (RSA)

I see the agent.sock file in ~/.1password/ and lsof says an active 1Password process has it open.

I wanted to add, my .ssh/config entry for github.com looks like this:


host github.com
user git
IdentityAgent "~/.1password/agent.sock"
IdentityFile ~/.ssh/id_ndo4.pub

System:
Arch Linux 5.17
OP Cli 2.0.0-beta.12
OP App 8.6.0