Skip to main content
XIII
February 16, 2022
Question

Unable to use 1Password SSH agent at work (RSA 2048, Azure DevOps)

  • February 16, 2022
  • 27 replies
  • 3239 views

Yesterday I tested the 1Password SSH agent with my personal stuff and everything seemed fine.

Today I wanted to use it at work as well, but everything fails...

  • Git on the command line: ``` ➜ git pull sign_and_send_pubkey: signing failed: agent refused operation user@domain1.com@domain2.com: Permission denied (password,publickey). fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
```

  • SourceTree: ``` git -c color.branch=false -c color.diff=false -c color.status=false -c diff.mnemonicprefix=false -c core.quotepath=false -c credential.helper=sourcetree fetch origin sign_and_send_pubkey: signing failed: agent refused operation user@domain1.com@domain2.com: Permission denied (password,publickey). fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
sign_and_send_pubkey: signing failed: agent refused operation
user@domain1.com@domain2.com: Permission denied (password,publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
```

  • Tower: ``` sign_and_send_pubkey: signing failed: agent refused operation user@domain1.com@domain2.com: Permission denied (password,publickey). fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
```

We're using Azure DevOps and it only supports RSA keys of 2048 bits.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

27 replies

XIII
XIIIAuthor
February 16, 2022

PS: even after not using the 1Password SSH agent for our Azure DevOps server I still get an error which I did not have before yesterday:


➜ git pull
sign_and_send_pubkey: signing failed: agent refused operation
Already up to date.

February 16, 2022

We use RSA-2048 keys in PEM Format with AWS and they don't seem to work with the 1Password Agent. It gets imported into the app but the agent does not seem to offer them. I checked the public exponent and it seems to be fine too. I https://1password-devs.slack.com/archives/C032QPCFK0B/p1644968700252969?thread_ts=1644958080.557249&cid=C032QPCFK0B this on the Slack channel and they asked me to open a support issue with diagnostics - While I create a support ticket, I figured I would add to more context here since this seems to be a similar issue.

Some details that might be useful:

Public Exponent:

❯ openssl rsa -text -in ~/.ssh/key.pem | grep publicExponent
writing RSA key
publicExponent: 65537 (0x10001)


❯ head -n1 ~/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----

These are the entries on the 1Password App. You can see six keys in total, three are Ed25519 and the others are RSA 2048bit

This is the output when I try to list the keys available in the 1Password agent. The Ed25519 keys are offered but the RSA 2048 ones are not.

XIII
XIIIAuthor
February 16, 2022

The Public Exponent is the same for my key.

However, my RSA 2048 key does show up in the output of ssh-add -l.

Still I cannot use the 1Password SSH agent with this key.

K_J__1P
1Password Employee
February 16, 2022

Thanks for testing! I appreciate your feedback. RSA keys are expected to work and this is a surprising issue. I appreciate your detailed response.

Are you able to share your OpenSSH version?


$ ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1m 14 Dec 2021

February 16, 2022

I'm using the default SSH client on macOS Monterrey/Big Sur. I'm able to reproduce this on both systems.

  • Monterrey machine: OpenSSH_8.6p1, LibreSSL 2.8.3
  • Big Sur machine: OpenSSH_8.1p1, LibreSSL 2.7.3

I also gave it a shot using the openssh https://formulae.brew.sh/formula/openssh#default from homebrew and noticing the same behaviour :
```
❯ which ssh
/opt/homebrew/bin/ssh

❯ ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1m 14 Dec 2021

❯ SSH_AUTH_SOCK="$HOME/.1password/agent.sock" ssh-add -l
256 SHA256: (ED25519)
256 SHA256: (ED25519)
256 SHA256: (ED25519)
```

XIII
XIIIAuthor
February 16, 2022

I'm using the default ssh from macOS Big Sur 11.6.4:


➜ which ssh
/usr/bin/ssh
➜ ssh -V
OpenSSH_8.1p1, LibreSSL 2.7.3

XIII
XIIIAuthor
February 16, 2022

PS: looking at the Homebrew path @smanojkarthick is probably using an M1 Mac. I'm still on Intel.

(not sure whether that matters)

K_J__1P
1Password Employee
February 16, 2022

Thanks for the additional info. Just to double check, all of the keys are in your Private vault? Currently, the agent only offers keys from Private vaults.

February 16, 2022

That’s right @XIII ! Just tried it, I can also reproduce this issue on my Intel MacBook. So I’m guessing that probably doesn’t matter.

XIII
XIIIAuthor
February 16, 2022

@K_J__1P Maybe we're mixing up terminology, but my keys are in my Personal vault (I believe Personal is used with 1password.com subscriptions, while Private was used for stand-alone vaults?).

Do these logs help?

Successful login using a private key stored as a file on my filesystem:

debug3: sign_and_send_pubkey: RSA SHA256:<fingerprint>
debug3: sign_and_send_pubkey: signing using ssh-rsa
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).

Failed login using 1Password SSH Agent:

debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/me/.ssh/key-1password.pub RSA SHA256:<fingerprint> explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/me/.ssh/key-1password.pub RSA SHA256:<fingerprint4> explicit agent
debug3: sign_and_send_pubkey: RSA SHA256:<fingerprint>
debug3: sign_and_send_pubkey: signing using ssh-rsa
sign_and_send_pubkey: signing failed: agent refused operation

The redacted <fingerprint> is identical in all places.

(I'm using your Match key with host approach)