Skip to main content
February 16, 2022
Question

Just tried to configure 1Password SSH and am having trouble (Windows 11)

  • February 16, 2022
  • 21 replies
  • 13628 views

Hi, I get an error when I try the test recommended in the set up document. When I run ssh -T git@github.com, I get

sign_and_send_pubkey: signing failed: agent refused operation
git@github.com: Permission denied (publickey).

I'm using an existing RSA pem key I've used for github for many years. I imported it into 1Password and the fingerprint in github and in 1password match exactly. I installed the beta 8 version, I disabled openSSH service on my windows 11 machine, and I enabled the 1password SSH service in settings. I also turned on Windows Hello and set a pin. After all this, I restarted 1password.

If I run ssh-add -l, I see the single fingerprint I have imported into 1password.

If I go into 1password and disable the ssh service, I get

Error connecting to agent: No such file or directory

when running ssh-add -l so 1password SSH service is certainly being used

I just tried this command and found more info. ssh -vT git@github.com

debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:xxx agent
debug1: Server accepts key: RSA SHA256:xxx agent
sign_and_send_pubkey: signing failed: agent refused operation


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Windows 11

21 replies

innocenzi
February 16, 2022

I'm having a similar issue on Windows, where the SSH key works, but I still get sign_and_send_pubkey: signing failed: agent refused operation.

```
➜ ssh -T mailto:git@github.com
sign_and_send_pubkey: signing failed: agent refused operation
Hi xxx! You've successfully authenticated, but GitHub does not provide shell access.

➜ ssh-add -l
256 SHA256:xxx (ED25519)
```

EDIT: well, in my case, restarting the gpg agent fixed it!

February 17, 2022

Sure, I get more or less the same thing as you can


debug1: Will attempt key: ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
debug1: Will attempt key: ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
debug1: Will attempt key: ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
debug1: Will attempt key: ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
[...]
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
debug1: Server accepts key: ED25519 SHA256:DGsj4tgVBWjC1KKhu7jhs5HA/1CiY+e8YoH+uWA3GRw agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
debug1: Offering public key: ED25519 SHA256:X1vpNjmAwANO/gPVdvde1J/e+ZBmQELv+7raKMIgGdQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: ED25519 SHA256:vwjBnRxnegnivkKfqRt0FxOGsyoSVJ0st2YNs4nyPkQ agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
debug1: Server accepts key: ED25519 SHA256:/3qGzZTtnZL7SiYcqlhaEupbDfXn4jEJrqJWNhLUs3o agent
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
[...]
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).

I have 4 SSH keys on my 1Password vault at the moment, so it looks like it is able to retrieve these from the agent correctly.

February 19, 2022

In my ~/.config/1Password/logs/1Password_rCURRENT.log file, I now see a bunch of lines of


WARN 2022-02-19T12:31:26.930 tokio-runtime-worker(ThreadId(4)) [1P:ssh/op-ssh-agent/src/lib.rs:252] Unable to get client_info for pid: 123

Whenever I try to use the agent, i.e. with the Github test cmd (ssh -T git@github.com) and see the agent refused operationo error message.

Before these error messages, I do see some INFO type messages that the SSH agent was successfully started though!

February 22, 2022

Just a quick message to say that the issue was coming from tmux on my side. It is apparently a known issue that the 1Password team is working on.

When trying it under alacritty + zsh without tmux it is working fine. I'll wait for the fix to land to start using it!

February 26, 2022

@SV337 thanks for the update! I tried it without tmux, however with alacritty + bash, and still wasn't able to get it to work. Sounds like the team is on it though, I'll hang tight as well and keep an eye on this thread! :)

In case it helps, the 1Password_rCURRENT.log file now said Session was not authorized for each attempt from that alacritty / bash (w/o Tmux) window.

I tried restarting the agent by unchecking and rechecking the option in the desktop 1P 8 client and saw SSH Agent is stopping and then SSH agent is starting in the logs. However, it immediately went back to Session was not authorized after attempting to login via SSH with the Agent set in ~/.ssh/config.

I also intermittently had messages saying New unlock was suppressed because a previous unlock was rejected or the lock screen was displayed, between these "Session not authorized" logs.

floris_1P
1Password Employee
March 16, 2022

Hey all, we've implemented some fixes that could solve some of the issues mentioned above, which are available on the latest stable and beta release.

Let us know if that fixes your issues.

@TMoneyAllDey For the Windows issue with RSA, do you see anything appear in the logs (%LOCALAPPDATA%/1Password/logs) when you run your SSH command? And you're saying it does work when you generate a new Ed25519 key using 1Password, but what happens if you generate a new RSA key using 1Password?

March 18, 2022

I am experiencing similar problems.
* 1Password for Mac 8.6.0 80600081, on BETA channel
* 1Password for Mac 8.7.0 80700002, on BETA channel

Created Ed25519 key for GitHub in 1Password and set IdentityAgent in ~/.ssh/config.
(There are no other settings in ~/.ssh/config).
And ssh -T git@github.com succeeded.

Next, a key was created with RSA (4096 bits) to connect to another host.
ssh user@my-host and was prompted to unlock by Touch ID, but could not connect.
When the -vT option was enabled, the following log was displayed.


...
debug1: Will attempt key: GitHub SSH chatii ED25519 SHA256:{} agent
debug1: Will attempt key: insprout ProxyServer chatii SSH Key RSA SHA256:{} agent
...
debug1: Authentications that can continue: publickey
debug1: Offering public key: my host RSA SHA256:{} agent
debug1: Server accepts key: my host RSA SHA256:{} agent
sign_and_send_pubkey: signing failed for RSA "my host SSH Key" from agent: agent refused operation
...
debug1: No more authentication methods to try.
user@myhost: Permission denied (publickey).

To find out where the problem lies, copy the private key generated by 1Password to ~/.ssh/my-host and try ssh -i ~/.ssh/my-host user@myhost - this method works.

I have also tried disabling and enabling the SSH agent in 1Password and upgrading (8.6.0 => 8.7.0), but this does not fix the problem.

K_J__1P
1Password Employee
March 18, 2022

@chatii A possible cause is the client/server is attempting key exchange with ssh-rsa (RSA with SHA1) which is not supported. 1Password currently only supports rsa-sha2-512 and rsa-sha2-256 for RSA keys. A quick way to test is with the following command:

```

Github supports rsa-sha2 and it takes precedence over ssh-rsa

ssh -vvT git@github.com ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa

Azure DevOps only supports ssh-rsa

ssh -vvT git@ssh.dev.azure.com ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
debug2: host key algorithms: ssh-rsa
```

If rsa-sha2 is supported, but has lower preference than ssh-rsa, PubkeyAcceptedKeyTypes in ~/.ssh/config can be used to remove it from the proposed lois

March 20, 2022

@K_J__1P oh I see, I understand..!

I really like 1Password's policy of not supporting unsecured key formats.
I was able to learn more about SSH because of the specific suggestions made. Thank you!

I tried

```
❯ cat ~/.ssh/config

Host target-onpremise-host
HostName AAA.BBB.CCC.DDD
Port 8022
User chatii
IdentityFile "~/.ssh/target-onpremise-host"

❯ ssh -vvT target-onpremise-host ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
debug2: host key algorithms: ssh-rsa,ssh-dss
```

March 21, 2022

@K_J__1P oh I see, I understand..!

I really like 1Password's policy of not supporting unsecured key formats.
I was able to learn more about SSH because of the specific suggestions made. Thank you!

I tried

```
❯ cat ~/.ssh/config

Host target-onpremise-host
HostName AAA.BBB.CCC.DDD
Port 8022
User chatii
IdentityFile "~/.ssh/target-onpremise-host"

❯ ssh -vvT target-onpremise-host ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
debug2: host key algorithms: ssh-rsa,ssh-dss
```