Skip to main content
March 16, 2022
Question

SSH - 'Agent Refused Operation'

  • March 16, 2022
  • 41 replies
  • 18543 views

I was able to enable the ssh agent in the 1 password app.

I now have a problem with accessing an EC2 instance using a private key stored in my private vault.

Steps:

  1. Update ~/.ssh/config with a host i.e.

Host random-host
HostName random-host.com
User ec2-user
IdentityAgent "~/Library/Group Containers/2BUA8GG42C.com.1password/t/agent.sock"

  1. Try to ssh to random-host

1password app prompts to 'Allow Access'

  1. This results in:

sign_and_send_pubkey: signing failed for RSA "random-host" from agent: agent refused operation
ec2-user@random-host.com: Permission denied (publickey)

  1. When I list all of the keys available to the agent:

ssh-add -l

The agent has no identities.

Can you help? Not sure which steps I have missed?

Also, I have tried to contact support via email and the response is poor at best. The one response I did get had a link to a support ticket. When I try to view it I'm prompted for my 1pwd credentials. Try to login and it fails. Not sure if I need another 1pwd account to access your support platform? Frustrating.

Thanks, Matt


1Password Version: 8.6.0 BETA
Extension Version: Not Provided
OS Version: macOS 12.0.1

41 replies

floris_1P
1Password Employee
May 10, 2022

@regis13 I can't make any promises on timelines, but for this feature we're looking more at a range of weeks than of months.

May 10, 2022

@floris_1P, what are you suggesting to do for now? Disable SSH agent?

May 11, 2022

If useful, here's my .ssh/config
* disabling 1Password SSH agent just for specific hosts
* enabling only ed25519 SSH keys for 1Password-enabled hosts

# use 1password SSH agent
Host * !disabledhosts* !disabledhost2
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
HostKeyAlgorithms ssh-ed25519

floris_1P
1Password Employee
May 11, 2022

@exsesx You can run this command to see which algorithms your server supports:


ssh -vv <your user>@<your host> ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'

For example, in the case of GitHub:


$ ssh -vv git@github.com ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'
debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa

If your server supports ssh-ed25519, you could consider switching to an Ed25519 key. If it supports rsa-sha2-512 or rsa-sha2-256, you could try adding this to your SSH config and keep on using your RSA key:


Host your-host
HostKeyAlgorithms -ssh-rsa

May 11, 2022

I checked my circle host and it supports a bunch (debug2: host key algorithms: ssh-ed25519,rsa-sha2-512,rsa-sha2-256,rsa-sha2-256,rsa-sha2-512,ssh-rsa) but setting the HostKeyAlgorithm still isn't working. I've tried both -ssh-rsa and actually setting one (rsa-sha2-512) and it still keeps trying to user ssh-rasa

floris_1P
1Password Employee
May 11, 2022

@tybritten What happens if you try PubkeyAcceptedKeyTypes as well?

Host your-host
HostKeyAlgorithms -ssh-rsa
PubkeyAcceptedKeyTypes -ssh-rsa

May 11, 2022

weird, now I'm getting
debug1: send_pubkey_test: no mutual signature algorithm

gussic
May 21, 2022

@floris_1P are you supporting older ciphers, such as ssh-rsa now? just tried with a unifi device I have and still get the "agent refused operation" error...

May 23, 2022

@floris_1P same issue here, every system works fine except the UniFi Dream Machine Pro @gussic

Left a request to UniFi to get the dropper version updated from 2018.76 to something more current.

May 24, 2022

Subscribing

+1 for ssh-rsa support