Morph MORPH
SIGN IN SIGN UP
microsoft / vscode UNCLAIMED

Visual Studio Code

0 0 94 TypeScript

SSH agent host: add agent forwarding setting & fix encrypted key failures (#312013)

* Skip fallback privateKey when SSH agent socket is present

When using Agent auth, _connectSSH was loading the first default key file
(~/.ssh/id_ed25519, etc.) as a fallback privateKey alongside the agent
socket. ssh2 parses privateKey eagerly before attempting agent auth, so
if the key is passphrase-encrypted the connection fails immediately with
"Cannot parse privateKey: Encrypted private OpenSSH key detected, but
no passphrase  even though the key is already loaded in thegiven"
agent and would work fine.

Keep the fallback key logic for cases where no SSH agent is available
(SSH_AUTH_SOCK unset), so publickey auth can still be attempted via the
raw key file. But skip it when an agent socket is  in that casepresent
the agent should have the keys loaded, and passing an encrypted key file
alongside the agent can only cause problems.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Add chat.agentHost.forwardSSHAgent setting for SSH agent forwarding

Add a new boolean setting that enables OpenSSH agent forwarding
(auth-agent@openssh.com) on SSH agent host connections. When enabled
and the connection uses Agent auth, sets agentForward=true in the
ssh2 connect config so the remote machine can use the local SSH agent.

- Add agentForward field to ISSHAgentHostConfig
- Register chat.agentHost.forwardSSHAgent setting (default: false)
- Read the setting in the renderer-side _augmentConfig
- Apply agentForward in _connectSSH when agent socket is present

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Address code review comments

- Add security warning to chat.agentHost.forwardSSHAgent setting description
- Pass error object to warn() instead of stringifying it
- Prompt for auth method when non-default IdentityFile is configured (so
  users without an SSH agent can still choose KeyFile)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Refactor _augmentConfig to use if statements instead of spread tricks

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Revert unnecessary changes to remoteAgentHostActions.ts

The encrypted key fix is handled server-side in _connectSSH and reconnect.
No need to change the UI connect flow.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
J
Josh Spicer committed
515c4fb946d9f61845d6a17270882885452f0ec3
Parent: f9eafcd
Committed by GitHub <noreply@github.com> on 4/23/2026, 3:47:28 AM