SSH agent host: add agent forwarding setting & fix encrypted key failures#312013
Merged
joshspicer merged 2 commits intomainfrom Apr 23, 2026
Merged
SSH agent host: add agent forwarding setting & fix encrypted key failures#312013joshspicer merged 2 commits intomainfrom
joshspicer merged 2 commits intomainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the SSH remote agent host implementation to avoid ssh2 failures when passphrase-encrypted keyfiles are present but an SSH agent is available, and adds an opt-in setting to enable OpenSSH agent forwarding for remote agent host connections.
Changes:
- Avoid reading/parsing fallback key files when an SSH agent socket is present to prevent
ssh2encrypted-key parsing failures. - Add
chat.agentHost.forwardSSHAgent(defaultfalse,experimental) and propagateagentForwardthrough connect/reconnect flows. - Update logging and add test coverage for the new auth/forwarding behaviors.
Show a summary per file
| File | Description |
|---|---|
| src/vs/sessions/contrib/remoteAgentHost/browser/remoteAgentHostActions.ts | Adjusts SSH connect UI defaults to avoid auto-selecting KeyFile; records IdentityFile for optional user selection. |
| src/vs/sessions/contrib/remoteAgentHost/browser/remoteAgentHost.contribution.ts | Registers the new chat.agentHost.forwardSSHAgent setting. |
| src/vs/platform/agentHost/test/node/sshRemoteAgentHostService.test.ts | Adds/updates tests for agent auth fallback behavior and agentForward flag propagation. |
| src/vs/platform/agentHost/node/sshRemoteAgentHostService.ts | Implements the new reconnect signature, skips fallback privateKey when agent is present, and applies agentForward to ssh2 connect config. |
| src/vs/platform/agentHost/electron-browser/sshRemoteAgentHostServiceImpl.ts | Reads the new setting, disconnectes on setting change, and forwards agentForward on connect/reconnect. |
| src/vs/platform/agentHost/common/sshRemoteAgentHost.ts | Extends ISSHAgentHostConfig with agentForward and updates the main-service reconnect API. |
Copilot's findings
- Files reviewed: 6/6 changed files
- Comments generated: 3
joshspicer
force-pushed
the
agents/add-agent-forward-ssh-feature
branch
from
880a59d to
79a7485
Compare
Contributor
Screenshot ChangesBase: Changed (1)
|
| Before | After |
|---|---|
 |
 |
joshspicer
force-pushed
the
agents/add-agent-forward-ssh-feature
branch
from
57ca399 to
ead30e7
Compare
joshspicer
force-pushed
the
agents/add-agent-forward-ssh-feature
branch
6 times, most recently
from
26308fb to
bf2ba11
Compare
roblourens
requested changes
Apr 23, 2026
When using Agent auth, _connectSSH was loading the first default key file (~/.ssh/id_ed25519, etc.) as a fallback privateKey alongside the agent socket. ssh2 parses privateKey eagerly before attempting agent auth, so if the key is passphrase-encrypted the connection fails immediately with "Cannot parse privateKey: Encrypted private OpenSSH key detected, but no passphrase even though the key is already loaded in thegiven" agent and would work fine. Keep the fallback key logic for cases where no SSH agent is available (SSH_AUTH_SOCK unset), so publickey auth can still be attempted via the raw key file. But skip it when an agent socket is in that casepresent the agent should have the keys loaded, and passing an encrypted key file alongside the agent can only cause problems. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
joshspicer
force-pushed
the
agents/add-agent-forward-ssh-feature
branch
3 times, most recently
from
9040b3c to
481dddd
Compare
Add a new boolean setting that enables OpenSSH agent forwarding (auth-agent@openssh.com) on SSH agent host connections. When enabled and the connection uses Agent auth, sets agentForward=true in the ssh2 connect config so the remote machine can use the local SSH agent. - Add agentForward field to ISSHAgentHostConfig - Register chat.agentHost.forwardSSHAgent setting (default: false) - Read the setting in the renderer-side _augmentConfig - Apply agentForward in _connectSSH when agent socket is present Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Address code review comments - Add security warning to chat.agentHost.forwardSSHAgent setting description - Pass error object to warn() instead of stringifying it - Prompt for auth method when non-default IdentityFile is configured (so users without an SSH agent can still choose KeyFile) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Refactor _augmentConfig to use if statements instead of spread tricks Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Revert unnecessary changes to remoteAgentHostActions.ts The encrypted key fix is handled server-side in _connectSSH and reconnect. No need to change the UI connect flow. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
joshspicer
force-pushed
the
agents/add-agent-forward-ssh-feature
branch
from
481dddd to
7f30f56
Compare
roblourens
approved these changes
Apr 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two changes to the SSH remote agent host:
1. Skip fallback privateKey when SSH agent socket is present
ssh2eagerly parsesprivateKeyat connect time — before attempting any auth. If the key is passphrase-encrypted this immediately throws"Cannot parse privateKey: Encrypted private OpenSSH key detected, but no passphrase given", even when the key is already loaded in the SSH agent.2. Add
chat.agentHost.forwardSSHAgentsettingAdds an opt-in setting that enables OpenSSH agent forwarding on SSH connections, allowing tools running under the remote agent host to authenticate using the local user's SSH keys.