I’m very perplexed by this. I’ve been switching over to using 1Password’s SSH agent on my Mac. Most things work fine, but deploying my Trellis projects now fails at the “TASK [deploy : Clone project files]” step with a message signing failed for ED25519 \"GitHub/GitLab SSH Auth Key\" from agent: communication with agent failed"
. This is happening on multiple servers, including ones that used to work fine before I tried to put my GitHub key in 1P.
What I’ve tested and know so far:
- I can SSH into the servers manually with the 1Password agent, no problem.
- While in the server, I can
ssh -T git@github.com
and 1Password prompts me to authorize the proper key, and it connects just fine — so agent forwarding works. - I can also (in the server) run a git clone or pull from my repo manually, and the SSH key from 1Password is used.
-
trellis provision <environment>
works perfectly. - Debugging with
trellis deploy --verbose
shows that Ansible is somehow seeing the proper key from 1Password, but it can’t communicate with the agent.
Here’s the relevant portion of my ~/.ssh/config
:
Host 161.35.188.103
IdentityAgent ~/.1password/agent.sock
ForwardAgent yes
# USED BY GIT
Host github.com gitlab.com
IdentityAgent ~/.1password/agent.sock
And full debug output from the failing task:
TASK [deploy : Clone project files] ********************************************
task path: /Users/andron/Code/andronocean/trellis-wp-sites/trellis/roles/deploy/tasks/update.yml:26
Using module file /Users/andron/Code/andronocean/trellis-wp-sites/trellis/.trellis/virtualenv/lib/python3.10/site-packages/ansible/modules/git.py
Pipelining is enabled.
<161.35.188.103> ESTABLISH SSH CONNECTION FOR USER: web
<161.35.188.103> SSH: EXEC ssh -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="web"' -o ConnectTimeout=10 -o 'ControlPath="/Users/andron/.ansible/cp/5778993b96"' 161.35.188.103 '/bin/sh -c '"'"'/usr/bin/python3 && sleep 0'"'"''
<161.35.188.103> (1, b'\n{"cmd": "/usr/bin/git ls-remote git@github.com:andronocean/wordpress-sandbox-bedrock.git -h refs/heads/master", "rc": 128, "stdout": "", "stderr": "sign_and_send_pubkey: signing failed for ED25519 \\"GitHub/GitLab SSH Auth Key\\" from agent: communication with agent failed\\r\\ngit@github.com: Permission denied (publickey).\\r\\nfatal: Could not read from remote repository.\\n\\nPlease make sure you have the correct access rights\\nand the repository exists.\\n", "failed": true, "msg": "sign_and_send_pubkey:********@github.com: Permission denied (publickey).\\r\\nfatal: Could not read from remote repository.\\n\\nPlease make sure you have the correct access rights\\nand the repository exists.", "invocation": {"module_args": {"repo": "git@github.com:andronocean/wordpress-sandbox-bedrock.git", "dest": "/srv/www/sandbox.andronocean.com/shared/source", "version": "master", "accept_hostkey": true, "force": true, "remote": "origin", "clone": true, "update": true, "verify_commit": false, "gpg_whitelist": [], "accept_newhostkey": false, "bare": false, "recursive": true, "single_branch": false, "track_submodules": false, "refspec": null, "reference": null, "depth": null, "key_file": null, "ssh_opts": null, "executable": null, "umask": null, "archive": null, "archive_prefix": null, "separate_git_dir": null}}}\n', b"OpenSSH_9.3p1, OpenSSL 1.1.1t 7 Feb 2023\r\ndebug1: Reading configuration data /Users/andron/.ssh/config\r\ndebug1: /Users/andron/.ssh/config line 30: Applying options for 161.35.188.103\r\ndebug1: Reading configuration data /usr/local/etc/ssh/ssh_config\r\ndebug2: resolve_canonicalize: hostname 161.35.188.103 is address\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/andron/.ssh/known_hosts'\r\ndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/andron/.ssh/known_hosts2'\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 8962\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\n")
<161.35.188.103> Failed to connect to the host via ssh: OpenSSH_9.3p1, OpenSSL 1.1.1t 7 Feb 2023
debug1: Reading configuration data /Users/andron/.ssh/config
debug1: /Users/andron/.ssh/config line 30: Applying options for 161.35.188.103
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 161.35.188.103 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/andron/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/andron/.ssh/known_hosts2'
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 8962
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 2
debug3: mux_client_read_packet: read header failed: Broken pipe
debug2: Received exit status from master 1
fatal: [161.35.188.103]: FAILED! => {
"changed": false,
"cmd": "/usr/bin/git ls-remote git@github.com:andronocean/wordpress-sandbox-bedrock.git -h refs/heads/master",
"invocation": {
"module_args": {
"accept_hostkey": true,
"accept_newhostkey": false,
"archive": null,
"archive_prefix": null,
"bare": false,
"clone": true,
"depth": null,
"dest": "/srv/www/sandbox.andronocean.com/shared/source",
"executable": null,
"force": true,
"gpg_whitelist": [],
"key_file": null,
"recursive": true,
"reference": null,
"refspec": null,
"remote": "origin",
"repo": "git@github.com:andronocean/wordpress-sandbox-bedrock.git",
"separate_git_dir": null,
"single_branch": false,
"ssh_opts": null,
"track_submodules": false,
"umask": null,
"update": true,
"verify_commit": false,
"version": "master"
}
},
"msg": "sign_and_send_pubkey:********@github.com: Permission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.",
"rc": 128,
"stderr": "sign_and_send_pubkey: signing failed for ED25519 \"GitHub/GitLab SSH Auth Key\" from agent: communication with agent failed\r\ngit@github.com: Permission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n",
"stderr_lines": [
"sign_and_send_pubkey: signing failed for ED25519 \"GitHub/GitLab SSH Auth Key\" from agent: communication with agent failed",
"git@github.com: Permission denied (publickey).",
"fatal: Could not read from remote repository.",
"",
"Please make sure you have the correct access rights",
"and the repository exists."
],
"stdout": "",
"stdout_lines": []
}
...ignoring
TASK [deploy : Failed connection to remote repo] *******************************
task path: /Users/andron/Code/andronocean/trellis-wp-sites/trellis/roles/deploy/tasks/update.yml:37
fatal: [161.35.188.103]: FAILED! => {
"changed": false,
"msg": "Git repo git@github.com:andronocean/wordpress-sandbox-bedrock.git on branch master cannot be accessed. Please verify the repository/branch are correct and you have SSH forwarding set up correctly.\nMore info:\n> https://roots.io/trellis/docs/deploys/#ssh-keys\n> https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding\n\nError:\nsign_and_send_pubkey:********@github.com: Permission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n"
}
I’ve tried on projects with Trellis v1.21.0 and v1.20.1. trellis-cli is version 1.11.0.
Has anyone else tried the 1Password SSH agent and gotten it to work? Right now I’m thinking this is an incompatibility between it and something in Ansible’s git system…