Skip to content

Fix SSH remote agent host passphrase auth#318244

Merged
roblourens merged 3 commits into
mainfrom
agents/vsckb-implement-please-investigate-and-fix-https-6a10c92d
May 26, 2026
Merged

Fix SSH remote agent host passphrase auth#318244
roblourens merged 3 commits into
mainfrom
agents/vsckb-implement-please-investigate-and-fix-https-6a10c92d

Conversation

@roblourens
Copy link
Copy Markdown
Member

@roblourens roblourens commented May 25, 2026

Fixes #317549

This updates the Agents window SSH remote agent host auth path to honor resolved SSH config agent settings and encrypted private keys.

  • Preserve IdentityAgent from ssh -G and pass it into ssh2 agent auth, including IdentityAgent none and IdentityAgent SSH_AUTH_SOCK.
  • Detect encrypted private keys and prompt for their passphrase via the existing quick-input keyboard-interactive bridge before handing the key to ssh2.
  • Pass resolved identity agent info through configured-host connect and reconnect paths.
  • Add focused SSH config parsing and auth handler coverage.

Validation:

  • npm run compile-check-ts-native
  • npm run valid-layers-check
  • ./scripts/test.sh --run src/vs/platform/agentHost/test/common/sshConfigParsing.test.ts --run src/vs/platform/agentHost/test/node/sshRemoteAgentHostService.test.ts --timeout 10000
  • npm run precommit

@roblourens
Fix SSH remote agent host passphrase auth
155f3dc 
Support IdentityAgent from resolved SSH config and prompt for encrypted private key passphrases when connecting SSH remote agent hosts.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 25, 2026 19:33
Copilot AI reviewed May 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes SSH-based Remote Agent Host connections in the Agents window by honoring ssh -G resolved IdentityAgent settings and supporting encrypted private keys via a passphrase prompt, improving parity with OpenSSH behavior and unblocking common SSH setups (e.g. Pageant / custom agents and encrypted keys).

Changes:

  • Propagate IdentityAgent from ssh -G through configured-host connect and reconnect flows, and resolve it to the correct agent endpoint (including none / SSH_AUTH_SOCK / env refs).
  • Detect encrypted private keys (PEM + OpenSSH format) and prompt for a passphrase via the existing keyboard-interactive quick-input bridge before handing credentials to ssh2.
  • Extend SSH config parsing and add focused unit coverage for IdentityAgent parsing, agent selection precedence, and passphrase handling.
Show a summary per file
File Description
src/vs/sessions/contrib/providers/remoteAgentHost/REMOTE_AGENT_HOST_SESSIONS_PROVIDER.md Updates provider behavior notes to include IdentityAgent + encrypted key passphrase flow.
src/vs/sessions/contrib/providers/remoteAgentHost/browser/remoteAgentHostActions.ts Passes resolved identityAgent through SSH config connect and manual fallback flows.
src/vs/platform/agentHost/common/sshRemoteAgentHost.ts Extends SSH config and resolved config shapes to include identityAgent.
src/vs/platform/agentHost/common/sshConfigParsing.ts Parses identityagent from ssh -G output.
src/vs/platform/agentHost/node/sshRemoteAgentHostService.ts Implements IdentityAgent resolution, encrypted key detection, and passphrase prompting via auth handler.
src/vs/platform/agentHost/test/common/sshConfigParsing.test.ts Adds coverage for identityagent parsing and updates expected resolved-config shape.
src/vs/platform/agentHost/test/node/sshRemoteAgentHostService.test.ts Adds coverage for IdentityAgent precedence and encrypted key passphrase plumbing.
src/vs/platform/agentHost/test/electron-browser/sshRemoteAgentHostService.test.ts Updates mock resolved-config shape to include identityAgent.

Copilot's findings

  • Files reviewed: 8/8 changed files
  • Comments generated: 1

Comment thread src/vs/platform/agentHost/common/sshRemoteAgentHost.ts Outdated
Comment on lines +38 to +39
/** SSH agent endpoint resolved from IdentityAgent, or undefined to use the default agent. */
readonly identityAgent?: string;
@roblourens
Clarify SSH IdentityAgent config comment
946e273 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@roblourens
Try SSH agent before encrypted on-disk keys
b55c8ad 
When the configured agent has the identity loaded, auth should succeed before we ever read an encrypted IdentityFile from disk - otherwise the user gets a passphrase prompt for a key the agent already holds unlocked.

Also fix _isDefaultKeyPath to normalize `~` paths so the absolute IdentityFile that `ssh -G` returns is correctly recognized as a default and not promoted to an explicit (encrypted) attempt that fires the passphrase prompt before the agent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@roblourens roblourens marked this pull request as ready for review May 25, 2026 21:28
@roblourens roblourens enabled auto-merge (squash) May 25, 2026 21:28
@roblourens roblourens merged commit ac58dbf into main May 26, 2026
25 checks passed
@roblourens roblourens deleted the agents/vsckb-implement-please-investigate-and-fix-https-6a10c92d branch May 26, 2026 00:50
@vs-code-engineering vs-code-engineering Bot added this to the 1.122.0 milestone May 26, 2026
@anthonykim1 anthonykim1 mentioned this pull request May 26, 2026
Merged
anthonykim1 added a commit that referenced this pull request May 26, 2026
@anthonykim1
release/1.122: catch up to verified Insiders build (183159e) (#318394)
bb630b7 
Squashed cherry-pick of 10 commits from main that are included in the
Insiders build (183159e) people are verifying:

- agentHost: show fetched URL for web_fetch (#318240)
- Fix SSH remote agent host passphrase auth (#318244)
- agentHost: add setting to disable worktreeCreated task auto-dispatch (#318243)
- Agent host: clearer worktree git timeout errors and 60s budget (#318242)
- Normalize LF to CRLF in agent host terminal tool output (#318257)
- sessions: restore X-button removal of SSH remote agent host entries (#318262)
- chat: fix duplicate command registration for agent-host-copilotcli (#318273)
- launch: build copilot in compile; wait for CDP in launch.sh (#318272)
- Preserve unread state across remote host disconnect (#318267)
- Add more codenotify for terminal (#318285)
@vs-code-engineering vs-code-engineering Bot mentioned this pull request May 26, 2026
Closed
dileepyavan pushed a commit that referenced this pull request May 27, 2026
@anthonykim1 @dileepyavan
release/1.122: catch up to verified Insiders build (183159e) (#318394)
527dec5 
Squashed cherry-pick of 10 commits from main that are included in the
Insiders build (183159e) people are verifying:

- agentHost: show fetched URL for web_fetch (#318240)
- Fix SSH remote agent host passphrase auth (#318244)
- agentHost: add setting to disable worktreeCreated task auto-dispatch (#318243)
- Agent host: clearer worktree git timeout errors and 60s budget (#318242)
- Normalize LF to CRLF in agent host terminal tool output (#318257)
- sessions: restore X-button removal of SSH remote agent host entries (#318262)
- chat: fix duplicate command registration for agent-host-copilotcli (#318273)
- launch: build copilot in compile; wait for CDP in launch.sh (#318272)
- Preserve unread state across remote host disconnect (#318267)
- Add more codenotify for terminal (#318285)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@DonJayamanne DonJayamanne DonJayamanne approved these changes

Assignees

@roblourens roblourens

Labels

None yet

Projects

None yet

Milestone

1.122.0

Development

Successfully merging this pull request may close these issues.

Remote SSH in Agent Window missing key passphrase and IdentityAgent

3 participants

@roblourens @DonJayamanne