I was able to enable the ssh agent in the 1 password app. I now have a problem with accessing an EC2 instance using a private key stored in my private vault. Steps: Update ~/.ssh/config with a host i.e. Host random-host HostName random-host.com User ec2-user IdentityAgent "~/Library/Group Containers/2BUA8GG42C.com.1password/t/agent.sock" Try to ssh to random-host 1password app prompts to 'Allow Access' This results in: sign_and_send_pubkey: signing failed for RSA "random-host" from agent: agent refused operation ec2-user@random-host.com: Permission denied (publickey) When I list all of the keys available to the agent: ssh-add -l The agent has no identities. Can you help? Not sure which steps I have missed? Also, I have tried to contact support via email and the response is poor at best. The one response I did get had a link to a support ticket. When I try to view it I'm prompted for my 1pwd credentials. Try to login and it fails. Not sure if I need another 1pwd account to access your support platform? Frustrating. Thanks, Matt 1Password Version: 8.6.0 BETA Extension Version: Not Provided OS Version: macOS 12.0.1

I'm seeing this too when attempting to access Azure DevOps (ssh.dev.azure.com). With a very stripped back SSH config for debugging, I cannot seem to trace the cause. Even with a brand new key, same error. debug1: Host 'ssh.dev.azure.com' is known and matches the RSA host key. debug1: Found key in /Users/jamie/.ssh/known_hosts:4 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /Users/jamie/.ssh/azure_devops.pub RSA SHA256: explicit agent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: password,publickey debug1: Next authentication method: publickey debug1: Offering public key: /Users/jamie/.ssh/azure_devops.pub RSA SHA256: explicit agent debug1: Server accepts key: /Users/jamie/.ssh/azure_devops.pub RSA SHA256: explicit agent sign_and_send_pubkey: signing failed for RSA "/Users/jamie/.ssh/azure_devops.pub" from agent: agent refused operation Also noticed that keys not secured in the "Private" vault are not provided by the agent, is that a bug or by design?

Do you see anything appear in the logs when you invoke the SSH command? On macOS: ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data/logs/1Password_rCURRENT.log It could be that the EC2 instance only supports SHA1 signatures for RSA keys. This is something that the SSH agent doesn't support at the moment. If that's the case, you can consider switching to Ed25519 keys, or upgrading OpenSSH on your server so that it supports more modern algorithms. For Azure DevOps, that's not an option unfortunately. So be on the lookout for updates! (Either from our side or from Azure's side) @jamie_shaw About the Private vault requirement, see this thread.

I see the following error: ERROR 2022-03-21T16:51:32.966 tokio-runtime-worker(ThreadId(3)) [1P:/Users/builder/builds/BhfSvM9x/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:377] Error handling sign request: Key(signing with ssh-rsa is unsupported; SHA-1 may be insecure) To be fair I tested with a legacy EC2 instance so I'll try out a few more recent EC2's.

OK I tested out with some relatively new Amazon Linux EC2's and it works well. floris_1P are you likely to include supporting old ciphers in the 1password SSH agent? To update SSH on all of our older/legacy instances would be a considerable amount of work. Long term we will be of course sunsetting/upgrading/replacing instances for security purposes but short term we can't commit to using the 1password agent without 'old' cipher support.

Yes, for that exact reason we have plans to also support ssh-rsa in the near future.

SSH - 'Agent Refused Operation' | 1Password Community

41 Replies

Former Member
4 years ago
Any hint on how to avoid having to fingerprint for each SSH access? If I log-in 3 times to host X, I need to fingerprint 3 times.. I know, first-world problem, but need to ask since went full-in with 1password ssh agent!
Former Member
4 years ago
Subscribing

+1 for ssh-rsa support
Former Member
4 years ago
floris_1P same issue here, every system works fine except the UniFi Dream Machine Pro gussic

Left a request to UniFi to get the dropper version updated from 2018.76 to something more current.
gussic
Super Contributor
4 years ago
floris_1P are you supporting older ciphers, such as ssh-rsa now? just tried with a unifi device I have and still get the "agent refused operation" error...
Former Member
4 years ago
weird, now I'm getting
debug1: send_pubkey_test: no mutual signature algorithm
floris_1P
1Password Team
4 years ago
@tybritten What happens if you try PubkeyAcceptedKeyTypes as well?
Host your-host HostKeyAlgorithms -ssh-rsa PubkeyAcceptedKeyTypes -ssh-rsa
Former Member
4 years ago
I checked my circle host and it supports a bunch (debug2: host key algorithms: ssh-ed25519,rsa-sha2-512,rsa-sha2-256,rsa-sha2-256,rsa-sha2-512,ssh-rsa) but setting the HostKeyAlgorithm still isn't working. I've tried both -ssh-rsa and actually setting one (rsa-sha2-512) and it still keeps trying to user ssh-rasa
floris_1P
1Password Team
4 years ago
@exsesx You can run this command to see which algorithms your server supports:

ssh -vv <your user>@<your host> ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms'

For example, in the case of GitHub:

$ ssh -vv git@github.com ls |& grep 'peer server KEXINIT proposal' -A3 | grep 'host key algorithms' debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa

If your server supports ssh-ed25519, you could consider switching to an Ed25519 key. If it supports rsa-sha2-512 or rsa-sha2-256, you could try adding this to your SSH config and keep on using your RSA key:

Host your-host HostKeyAlgorithms -ssh-rsa
Former Member
4 years ago
If useful, here's my .ssh/config
* disabling 1Password SSH agent just for specific hosts
* enabling only ed25519 SSH keys for 1Password-enabled hosts

# use 1password SSH agent
Host * !disabledhosts* !disabledhost2
IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
HostKeyAlgorithms ssh-ed25519
Former Member
4 years ago
floris_1P, what are you suggesting to do for now? Disable SSH agent?

Forum Discussion

SSH - 'Agent Refused Operation'

41 Replies

Recent discussions

Apple Watch CLI Authentication

macOS 26 beta browser extension very slow to open

Use op on headless system with glab?

Console flooded with errors when clicking links during 1Password passkey selection dialog

How to create an Address field type using the CLI?