me like nix
preserve forwarded ssh agents in ssh sessions
author
Sean Aye
date
(May 18, 2026, 10:17 AM -0400)
commit
dd8daddd
dd8dadddb71862eed6ece5455ec6ee3023c6e095
parent
9ac6309d
9ac6309d66a0eed8d1da011f09db8adf3c44d15d
change-id
vmzprxzo
vmzprxzouvklsvmoorvzwttplypsuunp
+20
-12
+12
-8
modules/sean.nix
+12
-8
modules/sean.nix
···
63
63
matchBlocks = {
64
64
# For git/jj over SSH, try the local YubiKey-backed security key
65
65
# first. If the key is not plugged in, OpenSSH will continue on to
66
-
# identities exposed by the 1Password SSH agent.
66
+
# whatever agent SSH_AUTH_SOCK points at (1Password locally, or a
67
+
# forwarded agent inside `ssh -A` sessions).
67
68
"git-forges" = {
68
69
host = "github.com gist.github.com codeberg.org gitlab.com";
69
70
identityFile = [
70
71
"${config.home.homeDirectory}/.ssh/id_ed25519_sk_rk"
71
-
];
72
-
identityAgent = [
73
-
"${config.home.homeDirectory}/.1password/agent.sock"
74
72
];
75
73
};
76
74
"*" = {
···
101
99
AWS_SHARED_CREDENTIALS_FILE = config.age.secrets.aws-credentials.path;
102
100
};
103
101
104
-
# Only point at the local 1Password agent when not inside an SSH
105
-
# session — otherwise we'd clobber the forwarded agent from `ssh -A`
106
-
# and lose access to the laptop's YubiKey.
102
+
# Prefer forwarded agents inside SSH sessions. Some login shells source
103
+
# hm-session-vars after sshd has set SSH_AUTH_SOCK, so recover sshd's
104
+
# original value from the parent process before falling back to the local
105
+
# 1Password GUI agent on graphical/local sessions.
107
106
home.sessionVariablesExtra = ''
108
-
if [ -z "$SSH_CONNECTION" ]; then
107
+
if [ -n "$SSH_CONNECTION" ] || [ -n "$SSH_CLIENT" ]; then
108
+
forwarded_sock=$(tr '\0' '\n' < "/proc/$PPID/environ" 2>/dev/null | sed -n 's/^SSH_AUTH_SOCK=//p' | head -n1)
109
+
if [ -n "$forwarded_sock" ] && [ -S "$forwarded_sock" ]; then
110
+
export SSH_AUTH_SOCK="$forwarded_sock"
111
+
fi
112
+
elif [ -S "${config.home.homeDirectory}/.1password/agent.sock" ]; then
109
113
export SSH_AUTH_SOCK="${config.home.homeDirectory}/.1password/agent.sock"
110
114
fi
111
115
'';
+8
-4
modules/shell.nix
+8
-4
modules/shell.nix
···
89
89
};
90
90
interactiveShellInit = ''
91
91
set fish_greeting
92
-
# Set 1Password SSH agent socket, but only when not inside an
93
-
# SSH session — otherwise preserve the forwarded agent from
94
-
# `ssh -A` so YubiKey signing keeps working on remote hosts.
95
-
if not set -q SSH_CONNECTION
92
+
# Prefer forwarded agents inside SSH sessions. Otherwise use the
93
+
# local 1Password GUI agent when available.
94
+
if set -q SSH_CONNECTION; or set -q SSH_CLIENT
95
+
set forwarded_sock (tr '\0' '\n' < /proc/$PPID/environ 2>/dev/null | sed -n 's/^SSH_AUTH_SOCK=//p' | head -n1)
96
+
if test -n "$forwarded_sock"; and test -S "$forwarded_sock"
97
+
set -gx SSH_AUTH_SOCK "$forwarded_sock"
98
+
end
99
+
else if test -S ${config.home.homeDirectory}/.1password/agent.sock
96
100
set -gx SSH_AUTH_SOCK ${config.home.homeDirectory}/.1password/agent.sock
97
101
end
98
102
# Load 1Password CLI plugins