It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Unable to use 1Password SSH agent at work (RSA 2048, Azure DevOps)
Yesterday I tested the 1Password SSH agent with my personal stuff and everything seemed fine.
Today I wanted to use it at work as well, but everything fails...
- Git on the command line: ``` ➜ git pull sign_and_send_pubkey: signing failed: agent refused operation user@domain1.com@domain2.com: Permission denied (password,publickey). fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
```
- SourceTree: ``` git -c color.branch=false -c color.diff=false -c color.status=false -c diff.mnemonicprefix=false -c core.quotepath=false -c credential.helper=sourcetree fetch origin sign_and_send_pubkey: signing failed: agent refused operation user@domain1.com@domain2.com: Permission denied (password,publickey). fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
sign_and_send_pubkey: signing failed: agent refused operation
user@domain1.com@domain2.com: Permission denied (password,publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
```
- Tower: ``` sign_and_send_pubkey: signing failed: agent refused operation user@domain1.com@domain2.com: Permission denied (password,publickey). fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
```
We're using Azure DevOps and it only supports RSA keys of 2048 bits.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
27 Replies
Since AgileBits is moving towards enterprises, you might consider supporting this?
The company using this technology has over 75,000 employees worldwide. Does that qualify as enterprise?
K_J__1P1Password Team
After doing some research, Azure DevOps only supports
ssh-rsa, which is unfortunate. Currently, there is not a way to make 1Password SSH work with an Azure DevOps server, including the cloudssh.dev.azure.com.I've noted this use case internally, but it will require further discussion if it is acceptable to support a weak algorithm. At the very least, a better error message is needed!
Thanks so much for your testing and detailed feedback.
Thanks.
I would not be surprised though, since I cannot use Ed25519 keys there as well; they only allow 2048 bits RSA keys (not even 4096 bits).
I wish you guys could educate our IT department!
(for example they still require me to change my password every 90 days; see your recent blog post;)
PS: the
ssh -vvvoutput contains
* noserver-sig-algs
* only thesesign_and_send_pubkeylines:
debug3: sign_and_send_pubkey: RSA SHA256:<fingerprint>
debug3: sign_and_send_pubkey: signing using ssh-rsa
- K_J__1P
It should be in the
kex_input_ext_info.
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
Additionally,
sign_and_send_pubkeywill typically indicate one of these two formats if they are being used:
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 ...
Reading the logs you shared, it seems like the server does not support rsa-sha2.
Edit: Looking into this further, it's unclear if Azure DevOps supports rsa-sha2. rsa-sha1 is considered weak and not enabled by default in most clients. I'll continue to investigate.
I'm not sure what to look for. This?
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
debug2: host key algorithms: ssh-rsa
(it's a self-hosted Azure DevOps server in a large organisation; I have no direct contact with the administrators)
- K_J__1P
Thanks! It appears like there is an attempt to use the key but 1Password is failing to sign with it. It might be that the server only supports SHA1. There is a known limitation that servers must support rsa-sha2-256 or rsa-sha2-512. These were added in OpenSSH 5.9.
Could that be the case with the server you are testing?
ssh -vvvshould list the supported algorithms. K_J__1P Maybe we're mixing up terminology, but my keys are in my Personal vault (I believe Personal is used with 1password.com subscriptions, while Private was used for stand-alone vaults?).
Do these logs help?
Successful login using a private key stored as a file on my filesystem:
debug3: sign_and_send_pubkey: RSA SHA256:<fingerprint>
debug3: sign_and_send_pubkey: signing using ssh-rsa
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Failed login using 1Password SSH Agent:
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/me/.ssh/key-1password.pub RSA SHA256:<fingerprint> explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/me/.ssh/key-1password.pub RSA SHA256:<fingerprint4> explicit agent
debug3: sign_and_send_pubkey: RSA SHA256:<fingerprint>
debug3: sign_and_send_pubkey: signing using ssh-rsa
sign_and_send_pubkey: signing failed: agent refused operation
The redacted
<fingerprint>is identical in all places.(I'm using your Match key with host approach)
That’s right XIII ! Just tried it, I can also reproduce this issue on my Intel MacBook. So I’m guessing that probably doesn’t matter.
- K_J__1P
Thanks for the additional info. Just to double check, all of the keys are in your Private vault? Currently, the agent only offers keys from Private vaults.
