Skip to main content
XIII
February 16, 2022
Question

Unable to use 1Password SSH agent at work (RSA 2048, Azure DevOps)

  • February 16, 2022
  • 27 replies
  • 3239 views

Yesterday I tested the 1Password SSH agent with my personal stuff and everything seemed fine.

Today I wanted to use it at work as well, but everything fails...

  • Git on the command line: ``` ➜ git pull sign_and_send_pubkey: signing failed: agent refused operation user@domain1.com@domain2.com: Permission denied (password,publickey). fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
```

  • SourceTree: ``` git -c color.branch=false -c color.diff=false -c color.status=false -c diff.mnemonicprefix=false -c core.quotepath=false -c credential.helper=sourcetree fetch origin sign_and_send_pubkey: signing failed: agent refused operation user@domain1.com@domain2.com: Permission denied (password,publickey). fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
sign_and_send_pubkey: signing failed: agent refused operation
user@domain1.com@domain2.com: Permission denied (password,publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
```

  • Tower: ``` sign_and_send_pubkey: signing failed: agent refused operation user@domain1.com@domain2.com: Permission denied (password,publickey). fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
```

We're using Azure DevOps and it only supports RSA keys of 2048 bits.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

27 replies

K_J__1P
1Password Employee
February 16, 2022

Thanks! It appears like there is an attempt to use the key but 1Password is failing to sign with it. It might be that the server only supports SHA1. There is a known limitation that servers must support rsa-sha2-256 or rsa-sha2-512. These were added in OpenSSH 5.9.

Could that be the case with the server you are testing? ssh -vvv should list the supported algorithms.

XIII
XIIIAuthor
February 16, 2022

I'm not sure what to look for. This?


debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: ssh-rsa

(it's a self-hosted Azure DevOps server in a large organisation; I have no direct contact with the administrators)

K_J__1P
1Password Employee
February 16, 2022

It should be in the kex_input_ext_info.


debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

Additionally, sign_and_send_pubkey will typically indicate one of these two formats if they are being used:


debug3: sign_and_send_pubkey: signing using rsa-sha2-512 ...

Reading the logs you shared, it seems like the server does not support rsa-sha2.

Edit: Looking into this further, it's unclear if Azure DevOps supports rsa-sha2. rsa-sha1 is considered weak and not enabled by default in most clients. I'll continue to investigate.

XIII
XIIIAuthor
February 16, 2022

Thanks.

I would not be surprised though, since I cannot use Ed25519 keys there as well; they only allow 2048 bits RSA keys (not even 4096 bits).

I wish you guys could educate our IT department!

(for example they still require me to change my password every 90 days; see your recent blog post;)

PS: the ssh -vvv output contains
* no server-sig-algs
* only these sign_and_send_pubkey lines:

debug3: sign_and_send_pubkey: RSA SHA256:<fingerprint>
debug3: sign_and_send_pubkey: signing using ssh-rsa

K_J__1P
1Password Employee
February 16, 2022

After doing some research, Azure DevOps only supports ssh-rsa, which is unfortunate. Currently, there is not a way to make 1Password SSH work with an Azure DevOps server, including the cloud ssh.dev.azure.com.

I've noted this use case internally, but it will require further discussion if it is acceptable to support a weak algorithm. At the very least, a better error message is needed!

Thanks so much for your testing and detailed feedback.

https://docs.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops#q-what-do-i-do-if-im-still-prompted-for-my-password-and-git_ssh_commandssh--v-git-fetch-shows-no-mutual-signature-algorithm

XIII
XIIIAuthor
February 17, 2022

Since AgileBits is moving towards enterprises, you might consider supporting this?

The company using this technology has over 75,000 employees worldwide. Does that qualify as enterprise?

K_J__1P
1Password Employee
February 17, 2022

Thanks for sharing @XIII. I've noted a few different widely used services that all only support ssh-rsa and this is something that we are actively discussing internally.

February 21, 2022

Seeing the same issue after restarting my computer.


❯ ssh -vvvT git@github.com
OpenSSH_8.8p1, OpenSSL 1.1.1m 14 Dec 2021
...
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ED25519 SHA256:2uM6MfX+6Vy3M2nmg0jMZH53KiHmh01+5/67BROjeUc agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: ED25519 SHA256:2uM6MfX+6Vy3M2nmg0jMZH53KiHmh01+5/67BROjeUc agent
debug3: sign_and_send_pubkey: ED25519 SHA256:2uM6MfX+6Vy3M2nmg0jMZH53KiHmh01+5/67BROjeUc
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:2uM6MfX+6Vy3M2nmg0jMZH53KiHmh01+5/67BROjeUc
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
debug1: Offering public key: ED25519 SHA256:NzlMuRTTFQA++mNliWTcmbGWZGvloFijRU9UAGHCrH4 agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: ED25519 SHA256:NzlMuRTTFQA++mNliWTcmbGWZGvloFijRU9UAGHCrH4 agent
debug3: sign_and_send_pubkey: ED25519 SHA256:NzlMuRTTFQA++mNliWTcmbGWZGvloFijRU9UAGHCrH4
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:NzlMuRTTFQA++mNliWTcmbGWZGvloFijRU9UAGHCrH4
sign_and_send_pubkey: signing failed for ED25519 "" from agent: agent refused operation
...
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
git@github.com: Permission denied (publickey).


❯ uname -a
Linux 5.16.10-arch1-1 #1 SMP PREEMPT Wed, 16 Feb 2022 19:35:18 +0000 x86_64 GNU/Linux


❯ cat 1Password_rCURRENT.log
...
INFO 2022-02-21T10:58:58.910 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/unlock.rs:89] Lock state changed: Unlocked
INFO 2022-02-21T11:06:12.378 tokio-runtime-worker(ThreadId(7)) [1P:ssh/op-ssh-agent/src/lib.rs:290] Session was not authorized
INFO 2022-02-21T11:06:12.502 tokio-runtime-worker(ThreadId(14)) [1P:op-automated-unlock/src/lib.rs:389] New unlock was suppressed because a previous unlock was rejected or the lock screen was displayed.
INFO 2022-02-21T11:06:12.502 tokio-runtime-worker(ThreadId(14)) [1P:ssh/op-ssh-agent/src/lib.rs:290] Session was not authorized

Tried restarting 1Password. Tried restarting PC. Nothing seems to work. 1Password refuses to sign. 1Password is open and unlocked.

Any progress made on this?

K_J__1P
1Password Employee
February 22, 2022

@ant59 This appears like a different issue than mentioned earlier in the thread. The previous issue was for ssh-rsa (RSA with SHA1), however, the log you shared looks like ssh-ed25519 was being used and that algorithm is supported.

Thanks for sharing the 1Password logs. It seems like the issue is that 1Password thinks that the user has been prompted and they dismissed the prompt. Do you have system authorization enabled in 1Password and is it working when unlocking 1Password? Thanks!

https://support.1password.com/system-authentication-linux/

February 22, 2022

Apologies for posting a different issue in the thread. I thought it looked similar.

I do not have system authorisation turned on. Is it a requirement for the SSH agent?