Skip to main content
March 16, 2022
Question

SSH - 'Agent Refused Operation'

  • March 16, 2022
  • 41 replies
  • 18543 views

I was able to enable the ssh agent in the 1 password app.

I now have a problem with accessing an EC2 instance using a private key stored in my private vault.

Steps:

  1. Update ~/.ssh/config with a host i.e.

Host random-host
HostName random-host.com
User ec2-user
IdentityAgent "~/Library/Group Containers/2BUA8GG42C.com.1password/t/agent.sock"

  1. Try to ssh to random-host

1password app prompts to 'Allow Access'

  1. This results in:

sign_and_send_pubkey: signing failed for RSA "random-host" from agent: agent refused operation
ec2-user@random-host.com: Permission denied (publickey)

  1. When I list all of the keys available to the agent:

ssh-add -l

The agent has no identities.

Can you help? Not sure which steps I have missed?

Also, I have tried to contact support via email and the response is poor at best. The one response I did get had a link to a support ticket. When I try to view it I'm prompted for my 1pwd credentials. Try to login and it fails. Not sure if I need another 1pwd account to access your support platform? Frustrating.

Thanks, Matt


1Password Version: 8.6.0 BETA
Extension Version: Not Provided
OS Version: macOS 12.0.1

41 replies

March 16, 2022

I'm seeing this too when attempting to access Azure DevOps (ssh.dev.azure.com).

With a very stripped back SSH config for debugging, I cannot seem to trace the cause. Even with a brand new key, same error.

debug1: Host 'ssh.dev.azure.com' is known and matches the RSA host key.
debug1: Found key in /Users/jamie/.ssh/known_hosts:4
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /Users/jamie/.ssh/azure_devops.pub RSA SHA256: explicit agent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/jamie/.ssh/azure_devops.pub RSA SHA256: explicit agent
debug1: Server accepts key: /Users/jamie/.ssh/azure_devops.pub RSA SHA256: explicit agent
sign_and_send_pubkey: signing failed for RSA "/Users/jamie/.ssh/azure_devops.pub" from agent: agent refused operation

Also noticed that keys not secured in the "Private" vault are not provided by the agent, is that a bug or by design?

floris_1P
1Password Employee
March 17, 2022

Do you see anything appear in the logs when you invoke the SSH command? On macOS: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log

It could be that the EC2 instance only supports SHA1 signatures for RSA keys. This is something that the SSH agent doesn't support at the moment. If that's the case, you can consider switching to Ed25519 keys, or upgrading OpenSSH on your server so that it supports more modern algorithms.

For Azure DevOps, that's not an option unfortunately. So be on the lookout for updates! (Either from our side or from Azure's side)

@jamie_shaw About the Private vault requirement, see this thread.

March 21, 2022

I see the following error:

ERROR 2022-03-21T16:51:32.966 tokio-runtime-worker(ThreadId(3)) [1P:/Users/builder/builds/BhfSvM9x/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:377] Error handling sign request: Key(signing with ssh-rsa is unsupported; SHA-1 may be insecure)

To be fair I tested with a legacy EC2 instance so I'll try out a few more recent EC2's.

March 21, 2022

OK I tested out with some relatively new Amazon Linux EC2's and it works well.

@floris_1P are you likely to include supporting old ciphers in the 1password SSH agent? To update SSH on all of our older/legacy instances would be a considerable amount of work. Long term we will be of course sunsetting/upgrading/replacing instances for security purposes but short term we can't commit to using the 1password agent without 'old' cipher support.

floris_1P
1Password Employee
March 22, 2022

Yes, for that exact reason we have plans to also support ssh-rsa in the near future.

XIII
March 22, 2022

we have plans to also support ssh-rsa in the near future

Nice! Then I can start using the 1Password SSH agent for all my keys (currently can't for 1 Azure DevOps key at work).

April 3, 2022

Can a disclaimer/troubleshooting info or section be added to the SSH Agent page? https://developer.1password.com/docs/ssh/agent/

I spent a few hours trying to figure out why I wasn't able to auth to a host using an RSA key. It's not explicitly stated that the agent wont work with RSA keys, and on the key management page, RSA is shown as a supported key type for import/storage, which sort of implies that you can use RSA keys with the agent, since they can be stored by 1Pass properly

April 4, 2022

I agree with dacodev. Please add a disclaimer. I'm scratching my hair off this morning until I found this post.

May 5, 2022

Waiting for ssh-rsa support to go full-in with 1password SSH keys!

May 7, 2022

@floris_1P Could you advise please, if there is at least an approximate ETA set for ssh-rsa keysig algorithm support?
As I have to manage a bunch of legacy servers, the lack of this algo is really a showstopper for using this great 1Passowrd's feature.