mirror of
https://github.com/Matir/skel.git
synced 2026-05-26 05:29:09 -07:00
fa6a878487
* Fix SSH agent forwarding clobbered by local agent in shenv ssh/rc saves the raw forwarded socket in SSH_REMOTE_AUTH_SOCK before rewriting SSH_AUTH_SOCK to the stable symlink. shenv was ignoring that variable, so it saw SSH_AUTH_SOCK as "our link" and fell through to the systemd lookup, which could overwrite the symlink with a local agent socket and silently drop the forwarded one. Now shenv checks SSH_REMOTE_AUTH_SOCK first, giving forwarded sockets priority over any local agent. https://claude.ai/code/session_01RhXaFzxJA5D2BcGcz18ipA * Fix shenv clobbering forwarded SSH socket with local agent in tmux ssh/rc env changes (including SSH_REMOTE_AUTH_SOCK) are lost because ssh/rc runs as a sshd child process, not the user's shell. The shell always receives SSH_AUTH_SOCK set to the raw forwarded socket path. Fresh SSH login worked fine (step 1 catches the raw socket). The bug was in tmux new windows: SSH_AUTH_SOCK there is our stable symlink, so step 1 fails, then steps 2/3 look up the system agent and overwrite the symlink that ssh/rc just set to the forwarded socket. Fix: only run the system agent lookup when the stable symlink is already broken. A valid symlink means ssh/rc (or a previous shenv run) already set it correctly; don't clobber it. https://claude.ai/code/session_01RhXaFzxJA5D2BcGcz18ipA * Remove pointless exports from ssh/rc, add process-model comment ssh/rc runs as a sshd child process so exports never reach the user's shell. SSH_REMOTE_AUTH_SOCK was set and exported but never used (a leftover from a prior failed fix attempt). SSH_AUTH_SOCK was reassigned to the symlink path and exported, also to no effect. Remove both. https://claude.ai/code/session_01RhXaFzxJA5D2BcGcz18ipA --------- Co-authored-by: Claude <noreply@anthropic.com>
33 lines
1.0 KiB
Bash
Executable File
33 lines
1.0 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# Roughly based on this article:
|
|
# https://werat.github.io/2017/02/04/tmux-ssh-agent-forwarding.html
|
|
#
|
|
# NOTE: this file is executed by sshd as a child process, NOT sourced by the
|
|
# user's shell. Any variable assignments or exports here have no effect on the
|
|
# shell environment the user will land in.
|
|
|
|
REMOTE_LINK="${HOME}/.ssh/ssh_auth_sock"
|
|
|
|
if [ -S "${SSH_AUTH_SOCK}" ] ; then
|
|
# Always update the symlink to the latest session's socket.
|
|
# This ensures that tmux (which uses the static path) always points to a
|
|
# current agent.
|
|
mkdir -p "$(dirname "${REMOTE_LINK}")"
|
|
ln -sf "${SSH_AUTH_SOCK}" "${REMOTE_LINK}"
|
|
fi
|
|
|
|
# if stdin is a tty, don't do the cookie step
|
|
if [ ! -t 0 ] ; then
|
|
# Handle X forwarding, per sshd(8)
|
|
if read -r proto cookie && [ -n "$DISPLAY" ]; then
|
|
if [ "$(echo "$DISPLAY" | cut -c1-10)" = 'localhost:' ]; then
|
|
# X11UseLocalhost=yes
|
|
echo add "unix:$(echo "$DISPLAY" | cut -c11-)" "$proto" "$cookie"
|
|
else
|
|
# X11UseLocalhost=no
|
|
echo add "$DISPLAY $proto $cookie"
|
|
fi | xauth -q -
|
|
fi
|
|
fi
|