Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion pkg/remote/sshclient.go
Original file line number Diff line number Diff line change
Expand Up @@ -310,6 +310,8 @@ func createPublicKeyCallback(connCtx context.Context, sshKeywords *wconfig.ConnK
if len(*authSockSignersPtr) != 0 {
authSockSigner := (*authSockSignersPtr)[0]
*authSockSignersPtr = (*authSockSignersPtr)[1:]
blocklogger.Infof(connCtx, "[conndebug] trying agent identity %s %s...\n",
authSockSigner.PublicKey().Type(), ssh.FingerprintSHA256(authSockSigner.PublicKey()))
return []ssh.Signer{authSockSigner}, nil
}

Expand Down Expand Up @@ -772,10 +774,19 @@ func createClientConfig(connCtx context.Context, sshKeywords *wconfig.ConnKeywor
if !utilfn.SafeDeref(sshKeywords.SshIdentitiesOnly) && agentPath != "" {
conn, err := dialIdentityAgent(agentPath)
if err != nil {
blocklogger.Infof(connCtx, "[conndebug] failed to open identity agent socket %q: %v\n", agentPath, err)
log.Printf("Failed to open Identity Agent Socket %q: %v", agentPath, err)
} else {
agentClient = agent.NewClient(conn)
authSockSigners, _ = agentClient.Signers()
agentSigners, err := agentClient.Signers()
if err != nil {
blocklogger.Infof(connCtx, "[conndebug] failed to list identity agent keys: %v\n", err)
log.Printf("Failed to list identity agent keys: %v", err)
}
blocklogger.Infof(connCtx, "[conndebug] identity agent provided %d identities\n", len(agentSigners))
for _, agentSigner := range agentSigners {
authSockSigners = append(authSockSigners, failoverSigner{signer: agentSigner, connCtx: connCtx})
}
}
}

Expand Down
75 changes: 75 additions & 0 deletions pkg/remote/sshsigners.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
// Copyright 2025, Command Line Inc.
// SPDX-License-Identifier: Apache-2.0

package remote

import (
"context"
"io"

"github.com/wavetermdev/waveterm/pkg/blocklogger"
"golang.org/x/crypto/ssh"
)

// failoverSigner wraps an ssh.Signer to implement SSH agent identity failover.
// When signing with one agent identity fails, instead of aborting the entire
// authentication attempt, it produces a synthesized invalid signature that
// causes the SSH client to try the next available identity, matching OpenSSH's
// default multi-identity authentication behavior. It implements both
// ssh.Signer and ssh.AlgorithmSigner.
type failoverSigner struct {
signer ssh.Signer
connCtx context.Context
}

// PublicKey returns the public key associated with the wrapped signer.
// It implements ssh.Signer.
func (f failoverSigner) PublicKey() ssh.PublicKey {
return f.signer.PublicKey()
}

// Sign signs the given data using the wrapped signer. If signing succeeds, the
// valid signature is returned. If signing fails (e.g. because the agent cannot
// authenticate with this particular identity), the error is logged via
// blocklogger and an invalid placeholder signature is returned instead of an
// error, allowing the SSH client to proceed to the next offered identity.
// It implements ssh.Signer.
func (f failoverSigner) Sign(rand io.Reader, data []byte) (*ssh.Signature, error) {
sig, err := f.signer.Sign(rand, data)
if err == nil {
return sig, nil
}
blocklogger.Infof(f.connCtx, "[conndebug] agent signing failed for key %s %s (%v); continuing with next identity\n",
f.signer.PublicKey().Type(), ssh.FingerprintSHA256(f.signer.PublicKey()), err)
return f.invalidSignature(f.signer.PublicKey().Type()), nil
}

// SignWithAlgorithm signs the given data using the wrapped signer with the
// requested signature algorithm. If the wrapped signer supports
// ssh.AlgorithmSigner, the algorithm is forwarded; if signing fails in that
// case an invalid signature with the requested algorithm format is returned.
// If the wrapped signer does not implement ssh.AlgorithmSigner, it falls back
// to Sign. It implements ssh.AlgorithmSigner.
func (f failoverSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*ssh.Signature, error) {
if as, ok := f.signer.(ssh.AlgorithmSigner); ok {
sig, err := as.SignWithAlgorithm(rand, data, algorithm)
if err == nil {
return sig, nil
}
blocklogger.Infof(f.connCtx, "[conndebug] agent signing failed for key %s %s (%v); continuing with next identity\n",
f.signer.PublicKey().Type(), ssh.FingerprintSHA256(f.signer.PublicKey()), err)
return f.invalidSignature(algorithm), nil
}
return f.Sign(rand, data)
}

// invalidSignature constructs a placeholder ssh.Signature with the given
// format and an obviously-invalid blob. Returning this sentinel signature
// instead of propagating the signing error causes the SSH client to skip
// this identity and move on to the next one offered by the agent.
func (f failoverSigner) invalidSignature(format string) *ssh.Signature {
return &ssh.Signature{
Format: format,
Blob: []byte("invalid-signature-identity-skipped"),
Comment thread
coderabbitai[bot] marked this conversation as resolved.
}
}