ssh-agent: improve handling of SSH_AUTH_SOCK variable

Specifically, only preserve `$SSH_AUTH_SOCK` when it points to a forwarded agent.
2026-01-11 09:29:41 +08:00 · 2026-01-03 16:39:25 +01:00
parent 73f5a5ecc9
commit f894bc4ffd
1 changed files with 6 additions and 5 deletions
--- a/modules/services/ssh-agent.nix
+++ b/modules/services/ssh-agent.nix
@@ -57,18 +57,19 @@ in
              else
                "$XDG_RUNTIME_DIR/${cfg.socket}";

+            # Preserve $SSH_AUTH_SOCK only if it stems from a forwarded agent,
+            # which is the case if both $SSH_AUTH_SOCK and $SSH_CONNECTION are
+            # set.
            bashIntegration = ''
-              if [ -z "$SSH_AUTH_SOCK" ]; then
+              if [ -z "$SSH_AUTH_SOCK" -o -z "$SSH_CONNECTION" ]; then
                export SSH_AUTH_SOCK=${socketPath}
              fi
            '';
-
            fishIntegration = ''
-              if test -z "$SSH_AUTH_SOCK"
+              if test -z "$SSH_AUTH_SOCK"; or test -z "$SSH_CONNECTION"
                set -x SSH_AUTH_SOCK ${socketPath}
              end
            '';
-
            nushellIntegration =
              let
                unsetOrEmpty = var: ''("${var}" not-in $env) or ($env.${var} | is-empty)'';
@@ -79,7 +80,7 @@ in
                    ''$"($env.XDG_RUNTIME_DIR)/${cfg.socket}"'';
              in
              ''
-                if ${unsetOrEmpty "SSH_AUTH_SOCK"} {
+                if ${unsetOrEmpty "SSH_AUTH_SOCK"} or ${unsetOrEmpty "SSH_CONNECTION"} {
                  $env.SSH_AUTH_SOCK = ${socketPath}
                }
              '';