Skip to main content
March 16, 2022
Question

SSH - 'Agent Refused Operation'

  • March 16, 2022
  • 41 replies
  • 18543 views

I was able to enable the ssh agent in the 1 password app.

I now have a problem with accessing an EC2 instance using a private key stored in my private vault.

Steps:

  1. Update ~/.ssh/config with a host i.e.

Host random-host
HostName random-host.com
User ec2-user
IdentityAgent "~/Library/Group Containers/2BUA8GG42C.com.1password/t/agent.sock"

  1. Try to ssh to random-host

1password app prompts to 'Allow Access'

  1. This results in:

sign_and_send_pubkey: signing failed for RSA "random-host" from agent: agent refused operation
ec2-user@random-host.com: Permission denied (publickey)

  1. When I list all of the keys available to the agent:

ssh-add -l

The agent has no identities.

Can you help? Not sure which steps I have missed?

Also, I have tried to contact support via email and the response is poor at best. The one response I did get had a link to a support ticket. When I try to view it I'm prompted for my 1pwd credentials. Try to login and it fails. Not sure if I need another 1pwd account to access your support platform? Frustrating.

Thanks, Matt


1Password Version: 8.6.0 BETA
Extension Version: Not Provided
OS Version: macOS 12.0.1

41 replies

May 31, 2022

Any hint on how to avoid having to fingerprint for each SSH access? If I log-in 3 times to host X, I need to fingerprint 3 times.. I know, first-world problem, but need to ask since went full-in with 1password ssh agent!

floris_1P
1Password Employee
June 3, 2022

@ark0n3 What platform are you on and what client are you using? The expected behavior would be 1 prompt per app or terminal window, per key.

June 6, 2022

I'm on OSX (latest version), using iTerm2. If I SSH to a given host in iTerm2 tab A, I'm asked for fingerprint again when SSH in iTerm tab B.

gussic
June 6, 2022

@floris_1P Hi there, any update re my post from May 22?

June 10, 2022

@ark0n3 That is the expected behavior. However, we are considering making this behavior configurable in the future.

June 10, 2022

@gussic Older key types and host key algorithms are not supported yet, but we might add support for them in the future.

June 10, 2022

thanks @"Marton.Soos_1P" , since it's really an hassle as of right now..

June 11, 2022

@"Marton.Soos_1P" Thank you for the various explanations above. Much appreciated. I understand that ssh-rsa keys are currently not supported by the 1password agent. Yet, when interacting with github, my ssh-rsa key appears to be supported. Is this the current state?

June 14, 2022

@biniblublu ssh-rsa keys are supported by the 1Password agent if they are used for ssh-rsa2 signing, they do not work for ssh-rsa signing. Depending on the Host Key Algorithm used by the service you're connecting to, using your ssh-rsa key may or may not work.

Have you run into any services for which your ssh-rsa keys don't work when using the 1Password SSH Agent? If so please let us know which services so that we can investigate the issue.

XIII
June 14, 2022

Azure DevOps (previously called Teams Foundation Server) is definitely one (which only supports ssh-rsa signing).