Hi, I am just starting to use the agent, and while its been good so far, I can’t seem to use keys where I’ve configured user interaction requirements, specifically when the user interaction involves a hardware key.
In my case, I’m using OnlyKey to confirm user presence, which works as intended with my normal ssh agent, I specify the private key, stored locally on my machine, when connecting, and am then prompted to touch my OnlyKey to confirm my presence. When attempted to use the same private key with the Bitwarden SSH Agent, I receive this error:
sign_and_send_pubkey: signing failed for ED25519-SK "/home/*****/.ssh/id_mykey_sk" from agent: agent refused operation
The good news is that I am then denied access when attempting to authenticate from my Linux machine (running Ubuntu 24.02).
However, when attempting the same operation on a Windows machine in powershell, I receive the same error but still authenticate (this is likely a bug, not sure who the remediation rests with though), which is concerning. I can create a separate bug report for that issue, but I’m not very experienced with posting on forums so I ask for other members to guide me with how to report that if need be.
Regardless, the error is still an issue for me since it makes this particular key unusable in its intended function, or just completely unusable.
My preliminary research into similar functionality with KeePassXC seems to indicate that there is a package called ssh-askpass
that can be used with that software to remediate the issue.
I tried installing the package on my Ubuntu machine and added an environment variable to my .bashrc (export SSH_ASKPASS=/usr/bin/ssh-askpass
) but no luck - which leads me to believe this is not a feature that the Bitwarden SSH Agent currently accommodates.
All that to say, that if someone has found a workaround for using the Bitwarden SSH Agent with private keys that require user interaction such as confirming user presence via touching a hardware key, I’d really appreciate if you can tell me how to make this work with the Bitwarden SSH Agent.
Otherwise, it would be great to see this functionality incorporated into the tool. For clarity, I am experiencing this issue with Bitwarden desktop client and have tested with both self-hosted and normal cloud-hosted bitwarden. Thank you.