fix(ssh): ensure environment variable algorithms are always honored

[billchurch]

Summary

Ensures user-provided SSH algorithm environment variables (e.g., WEBSSH2_SSH_ALGORITHMS_KEX) are always honored by WebSSH2.

Problem

Problem reported that SSH algorithm environment variables were ignored on first connections but worked on reconnects. Investigation revealed:

• The ssh2 library uses its own DEFAULT_KEX algorithms when none are explicitly passed to client.connect()
• ssh2's DEFAULT_KEX only includes modern algorithms (curve25519, ecdh-nistp*, etc.)
• ssh2's SUPPORTED_KEX includes legacy algorithms like diffie-hellman-group14-sha1
• When algorithms weren't explicitly passed, ssh2 fell back to its defaults, ignoring user configuration

This caused connections to legacy SSH servers (e.g., those only supporting diffie-hellman-group14-sha1) to fail even when users correctly configured the algorithm via environment variables.

Root Cause

In app/services/ssh/ssh-service.ts, the buildConnectConfig() method only passed algorithms to ssh2 when config.algorithms !== undefined. In edge cases where the connection config lacked algorithms, ssh2 would use its own defaults instead of the server's configured defaults (which honor env vars).

Solution

Always explicitly pass algorithms to ssh2, using server config defaults as fallback:

const serverAlgorithms = this.deps.config.ssh.algorithms
const algorithmsToUse = config.algorithms ?? {
  kex: serverAlgorithms.kex,
  cipher: serverAlgorithms.cipher,
  serverHostKey: serverAlgorithms.serverHostKey,
  hmac: serverAlgorithms.hmac,
  compress: serverAlgorithms.compress
}

if (config.algorithms === undefined) {
  logger('WARNING: No algorithms in connection config, using server defaults')
}

connectConfig.algorithms = algorithmsToUse

Changes

File	Change
app/services/ssh/ssh-service.ts	THE FIX: Always pass algorithms with fallback + warning log
app/config.ts	Debug logging for config loading timeline
app/socket/adapters/ssh-config.ts	Per-connection algorithm logging
index.ts	Startup verification logging
tests/test-utils.ts	Fix mock config to include ssh.algorithms
tests/unit/socket-v2-test-utils.ts	Fix mock config to include ssh.algorithms
tests/unit/socket-v2-exec-edge-cases.vitest.ts	Fix test expectation to match actual behavior

Verification

1. Test with Custom Algorithms

WEBSSH2_SSH_ALGORITHMS_KEX="ecdh-sha2-nistp256,diffie-hellman-group14-sha1" DEBUG=webssh2:* npm run start

Expected: Config loading should show env vars being read, startup log should show custom KEX algorithms.

2. Test with Legacy SSH Server

WEBSSH2_SSH_ALGORITHMS_KEX="diffie-hellman-group14-sha1" DEBUG=webssh2:* npm run start

Connect to a legacy SSH server - should succeed now.

3. Verify Fallback Warning

The warning WARNING: No algorithms in connection config, using server defaults should NOT appear in normal operation. If it does, it indicates a bug in the config passing flow.

Test plan

• Build passes
• Lint passes
• Type checking passes
• All 904 unit/integration tests pass
• Manual test with custom algorithm env vars
• Manual test with legacy SSH server (if available)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud