devpod icon indicating copy to clipboard operation
devpod copied to clipboard
verified publisher icon loft-sh

Add the ability to set IdentityAgent in SSH configs

Open ksurent opened this issue 9 months ago • 0 comments

Is your feature request related to a problem?

Yes. Consider a setup where a dev laptop has two ssh-agents running — one stock and one custom (e.g. comes pre–installed on a corporate laptop). Consider the following ~/.ssh/config:

# DevPod Start example.devpod
Host example.devpod
  ForwardAgent yes
  LogLevel error
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  HostKeyAlgorithms rsa-sha2-256,rsa-sha2-512,ssh-rsa
  ProxyCommand "/usr/local/bin/devpod" ssh --stdio --context default --user example example --workdir "/home/example"
  User example
# DevPod End example.devpod
Host *
  IdentityAgent /corporate-agent.sock

/corporate-agent.sock is maintained by a separate agent, new identities cannot be added to it.

At the same time there's a stock agent running as well:

❯ ssh-add -l
256 SHA256:... [email protected] (ED25519)

Right now there's no way to forward the stock agent to the devcontainer without rewriting my SSH config because IdentityAgent from the catch–all rule will always apply for example.devpod.

Now I need to either get rid of the catch–all rule or fix up the generated config every time a workspace is created/rebuilt.

Which solution do you suggest?

Add --set-ssh-identity-agent <value> to devpod up. When set, the following will be added to the generated config:

IdentityAgent <value>

From man ssh_config:

This option overrides the SSH_AUTH_SOCK environment variable and can be used to select a specific agent. Setting the socket name to none disables the use of an authentication agent. If the string "SSH_AUTH_SOCK" is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable. Otherwise if the specified value begins with a ‘$’ character, then it will be treated as an environment variable containing the location of the socket.

Because the generated config is always prepended to the start of the file and ssh uses the first found value, subsequent rules will not change which agent socket gets forwarded.

Which alternative solutions exist?

Users can rewrite their SSH configs without IdentityAgent in the catch–all rule.

Additional context

This is a pretty specific ask but I believe it can improve the experience for devs with complicated (e.g. corporate) setups.

I'd be willing to contribute the feature if it's considered useful.

ksurent avatar Mar 05 '25 18:03 ksurent