It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Support for SSH Certificates (2024)
This question came up a couple of times in 2022, but it didn't look like anything was resolved. Since it's been two years... For those unfamiliar with the concept, SSH certificates are host and user public keys, signed by your own internal SSH CA, that ease key approval and distribution, especially in large-scale environments. Once a user has created a public-private key-pair, the public key is signed by an (internal) SSH CA. The user then uses ssh-add to add the public key and, if present, the certificate file to the user's ssh agent. https://smallstep.com/blog/use-ssh-certificates/ of how SSH certificates work. Using stock ssh-add and ssh-agent on Mac OS 14, we can see the public key and certificate both being added to the agent: $ /usr/bin/ssh-add .ssh/id_ed25519 Enter passphrase for .ssh/id_ed25519: Identity added: .ssh/id_ed25519 (<REDACTED>) Certificate added: .ssh/id_ed25519-cert.pub (chris) A remote host, when properly configured, will verify that my user certificate has not expired (expiration and inception times) and was issued by a trusted CA, whose key would have already been added to the server. This eliminates the need for me to maintain an authorized_keys file on the remote end. I was hoping to be able to store these keys in 1Password. That certainly works; however, 1Password does not support certificates in neither the user interface nor the ssh agent. 1Password derives public keys from private keys but does not provide a way for the user to upload the certificate file, above and beyond attaching an arbitrary file. The ssh agent behind the scenes presumably also does not support certificates. For the moment, I have configured my ssh client to use the stock ssh-agent for the host that uses certificates, while everything else can go through 1Password. Are there any plans to add support to the 1Password user interface and to the underlying ssh agent for certificates? Thanks! 1Password Version: 8.10 Extension Version: Not Provided OS Version: macOS 14.2.1 Browser: Not Provided
op-ssh-sign is very slow
First of all, the SSH Agent is very nice! Thanks for this awesome feature. Just wondering, the op-ssh-sign feels very slow and sluggish to me. Especially when i'm using it for commit signing operations. i don't know if op-ssh-sign is the issue or if it's the ssh-agent. Signing a commit may take several seconds. 1Password Version: 8.10.16 Extension Version: Not Provided OS Version: Arch Linux Browser: Not Provided
ssh agent errors on older Cisco devices
It looks like there is an issue with the SSH agent when connecting to equipment using ssh-rsa for the host keys. Using ssh-rsa auth keys works fine, I am able to use the same key to connect to Ubuntu machines and other newer equipment. This is the error I get when connecting to a Cisco switch running IOS 15.2(7)E5: debug1: Offering public key: /Users/user/.ssh/id_rsa RSA SHA256:hash agent debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: /Users/user/.ssh/id_rsa RSA SHA256:hash agent debug3: sign_and_send_pubkey: using publickey with RSA SHA256:hash debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:hash sign_and_send_pubkey: signing failed for RSA "/Users/user/.ssh/id_rsa" from agent: agent refused operation This is what the 1Password log shows: WARN 2024-12-03T21:51:12.504+00:00 runtime-worker(ThreadId(8)) [1P:ssh/op-ssh-keys/src/private_key.rs:196] signing with ssh-rsa; SHA-1 may be insecure ERROR 2024-12-03T21:51:12.504+00:00 runtime-worker(ThreadId(8)) [1P:/Users/build/4kwQZK_M/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:665] Error handling sign request: UnsupportedOperation ERROR 2024-12-03T21:58:15.937+00:00 runtime-worker(ThreadId(2)) [1P:/Users/build/4kwQZK_M/0/dev/core/core/ssh/op-ssh-agent/src/lib.rs:665] Error handling sign request: UnsupportedOperation These are required configs to connect to these switches in the ssh config file: HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa Is there a way to connect to these older devices with the 1Password agent? For now I am using the -i flag and supplying my original key file as a workaround. I'm really trying to get rid of these key files on my machine now. 1Password Version: 8.10.54 Extension Version: Not Provided OS Version: macOS 15.1.1 Browser: Not Provided
Can't export SSH private key with empty passphrase in Android
I'm using the 1Password Android app version 8.10.54 When exporting an SSH private key, a dialog appears asking the me to enter a passphrase to encrypt the exported key. In the dialog, it states that if you leave the passphrase empty, the exported key will be in plain text. However, when I click the "Copy Private Key Without Encryption" button below, the input box turns red and nothing else happens. It seems like the input box is incorrectly set to require an entry. In the Mac version of 1Password, the "Copy Private Key Unencrypted" button works perfectly, so I believe it's a bug in the Android version. 1Password Version: 8.10.54 Extension Version: Not Provided OS Version: Android 14 One UI 6.1.1 Browser: Not Provided
SSH Agent not working after 8.10.54 update
After updating from 8.10.52 to 8.10.54 SSH Agent is no longer working as expected, and issue persists in the 8.10.56 beta update When attempting to SSH into a server, prompt appears and request is approved, but SSH client gets an error from the agent sign_and_send_pubkey: signing failed for RSA "SSH Key" from agent: agent refused operation Have also attempted enabling/disabling ssh agent, reinstalling 1Password etc Issue also occurs for other users in my business account 1Password Version: 8.5.52 Extension Version: Not Provided OS Version: Mac 15.1 Browser: Not Provided
[wayland] signign failed: communication with agent failed
similar to what has been reported in https://1password.community/discussion/comment/630417 ssh -T git@github.zattoo.com sign_and_send_pubkey: signing failed for ED25519 "id_ed25519" from agent: communication with agent failed git@github.zattoo.com: Permission denied (publickey). This is what I see in $HOME/.config/1Password/logs/1Password_rCURRENT.log INFO 2024-09-10T08:34:31.842+00:00 tokio-runtime-worker(ThreadId(121)) [1P:foundation/op-system-auth/src/lib.rs:327] Biometry is available for 1 or more accounts INFO 2024-09-10T08:35:31.795+00:00 tokio-runtime-worker(ThreadId(7)) [1P:ssh/op-ssh-agent/src/lib.rs:366] ssh authorization prompt timed out openssh version: 9.8p1-1 1Password Version: 8.10.44-34 Extension Version: 8.10.44.34 OS Version: archlinux Browser: Brave
