feat: Add SSH agent forwarding support to coder agent #1548
Conversation
|
Wanted this to be DRAFT PR, can't seem to convert it after the fact. |
|
I'm surprised it doesn't just work with |
Oh you're absolutely right, silly me, I did not look closely at what the actual error output was. So yeah, with |
|
Ahh, nice! Forwarding with https://pkg.go.dev/golang.org/x/crypto/ssh/agent#ForwardToRemote |
c0a7d75 to
3df1a08
Compare
|
I believe this is now ready for review. SSH agent forwarding has now been implemented for both For coder ssh --forward-agent <workspace>For SSH: coder config-ssh -o ForwardAgent=yes
# or
ssh -o ForwardAgent=yes coder.<workspace>Thanks @kylecarbs for the pointers, this was surprisingly easy to setup. |
|
@mafredri that'd be a good example for the usage of |
cli/ssh.go
Outdated
| _ = cmd.Flags().MarkHidden("shuffle") | ||
| cliflag.BoolVarP(cmd.Flags(), &forwardAgent, "forward-agent", "", "CODER_SSH_FORWARD_AGENT", false, "Specifies whether to forward the SSH agent specified in $SSH_AUTH_SOCK") |
There was a problem hiding this comment.
The shorthand flag for this should be -A to match openssh
There was a problem hiding this comment.
A most excellent suggestion, thanks!
cli/ssh_test.go
Outdated
| for { | ||
| fd, err := l.Accept() | ||
| if err != nil { | ||
| t.Logf("accept error: %v", err) |
|
@kylecarbs great suggestion! Added. |
| t.Cleanup(func() { | ||
| <-doneC | ||
| }) |
There was a problem hiding this comment.
note: I wasn't sure of this so I had to remind myself -- reading from a closed channel will immediately return the zero value of the channel type, and not block.
https://go.dev/play/p/PIS5JU1Lbgz
So this is fine, this won't cause t.Cleanup to hang or anything.
| // And we're done. | ||
| pty.WriteLine("exit") | ||
| <-cmdDone | ||
| }) |
There was a problem hiding this comment.
praise: This is such a cool test.
| //nolint:paralleltest // Disabled due to use of t.Setenv. | ||
| t.Run("ForwardAgent", func(t *testing.T) { | ||
| if runtime.GOOS == "windows" { | ||
| t.Skip("Test not supported on windows") |
There was a problem hiding this comment.
remark, non-blocking: recent versions of Windows do include SSH (source) but it's probably a ghastly can of worms to open! So agreed, let's leave this non-Windows for now. 😅
Co-authored-by: Cian Johnston <cian@coder.com>
* feat: Add SSH agent forwarding support to coder agent * feat: Add forward agent flag to `coder ssh` * refactor: Share setup between SSH tests, sync goroutines * feat: Add test for `coder ssh --forward-agent` * fix: Fix test flakes and implement Deans suggestion for helpers * fix: Add example to config-ssh * fix: Allow forwarding agent via -A Co-authored-by: Cian Johnston <cian@coder.com>
This PR adds support for SSH agent forwarding.
This simple change can support SSH agent forwarding but requires extra steps:As Kyle pointed out, this works fine with the
coder gitsshcommand so the extra steps are not necessary, we only need to make sure thesshForwardAgentsetting is enabled:coder config-ssh ssh -o ForwardAgent=yes coder.mydev # Inside workspace: git clone git@github.com:private/repo.gitChecklist
Add support for using the forwarded agent toGIT_SSH_COMMAND(i.e.coder gitssh)?coder sshtooFixes #1549.