Skip to main content
February 17, 2022
Question

SSH into Devices running old versions of Dropbear SSH (e.g. UniFi APs, and other routers)

  • February 17, 2022
  • 11 replies
  • 3267 views

After a lot of investigation in a thread on slack over the past 2 days, I discovered that 1Password's ssh-agent doesn't support logging into UniFi Access Points, which are running an old version of Dropbear SSH. This is an alternative SSH implementation that's commonly used on low power devices like routers and access points.

I'm just posting this here for anyone else who may encounter this issue trying to log into a similar device.

If you also have trouble logging into a device running Dropbear, check the version:

```

ssh -V

Dropbear v2017.75
```

That version of Dropbear only supports ssh-rsa signatures and not rsa-sha2-256 or rsa-sha2-512. Support for these signature algorithms were added in version 2020.79.

Routers with OpenWRT firmware installed on them also run Dropbear. If you have this, this may be a problem for you depending on when you most recently updated the firmware.

The ssh logs when this occurs will look something like this:

$ ssh -vvv 10.0.1.10
...
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:<redacted fingerprint>
sign_and_send_pubkey: signing failed for RSA "" from agent: agent refused operation
...

1Password's logs show this error:


[1P:/Users/builder/builds/BhfSvM9x/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:306] Error handling sign request: Key(expected RSA signature algorithm, but found a Ed25519 one)

If you encounter this problem, upgrade your device firmware if possible, or complain to the vendor that their devices are running an out of date SSH server.

Thanks to @K_J__1P for helping to figure this out with me in slack.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

11 replies

May 21, 2026

This is actually a really useful find. A lot of people would probably assume the problem is with 1Password or their SSH config, when it’s really the old Dropbear implementation on the device side. Older Dropbear versions on things like UniFi APs, https://speedport-ips.de/, and OpenWRT devices can be surprisingly limiting with modern SSH tooling. The key detail here is that those older builds only support ssh-rsa, while newer agents/tools try to use newer RSA SHA2 algorithms or Ed25519 keys by default. The agent refused operation error is especially misleading because it sounds like the agent itself is broken. Upgrading firmware is probably the best fix if possible. Otherwise people end up wasting hours tweaking SSH configs when the real issue is just the device running a very old Dropbear release.

May 22, 2026

Upgrading firmware is probably the best fix if possible. Otherwise people end up wasting hours tweaking SSH configs when the real issue is just the device running a very old Dropbear release.