Skip to content

Remote access doesn't work with ssh-agent

Describe the bug

If the private key needed to access a remote system is only available the ssh-agent daemon (i.e. not .ssh/*), HPCViewer will fail to use the key to access the remote system. In this case the Viewer will fall back to password authentication or just outright fail.

Background on ssh-agent

I'm aware not everyone is familiar with ssh-agent, so I thought I would provide a couple paragraphs of commentary to give some background.

ssh uses asymmetric key cryptography to prove identity: you create a pair of public/private keys, copy the public key to the remote system, and by having the private key you "prove" your identity and can log into the system. Private keys are highly sensitive, anyone with access to the private key can impersonate you if they so desire. To prevent a rogue AI agent from stealing your digital identity, it's common practice to encrypt the private key "material" and save only the encrypted form on disk (this encrypted file is typically called the "key").

On-disk encryption does not solve all issues, specifically (a) you have to type your passphrase each time and (b) every SSH client you use has to handle (and protect!) the sensitive key material. This is where ssh-agent comes in, it's a background service for holding and protecting sensitive key material. Keys are decrypted and loaded into the agent with ssh-add, and the agent securely performs the necessary cryptographic operations on behalf of any connected SSH clients. This gives (actually more) convenience than unencrypted keys while maintaining high security, to my knowledge the highest security possible without specialized hardware (e.g. security keys/tokens).

To Reproduce

First, set up a scenario where the only key that can log into the remote system is in the agent:

$ ssh-keygen -f testkey
$ ssh some.remote.system
# mv .ssh/authorized_keys{,~}
# cat testkey.pub > .ssh/authorized_keys
# exit
$ ssh -o PasswordAuthentication=no some.remote.system hostname
user@some.remote.system: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
$ ssh-add testkey
$ ssh -o PasswordAuthentication=no some.remote.system hostname
some.remote.system

Then select the remote system and "Use Identity":

Screenshot_From_2025-10-24_01-36-17-obfuscated

Pressing OK does not use the available key, instead the connection errors out (possibly after attempting password authentication):

Screenshot_From_2025-10-24_01-44-42-obfuscated

image

Expected behavior

The remote connection should work with no password prompt, using the key already loaded into the agent.

Platform (please complete the following information):

  • OS: Linux (Fedora 42 / Project Bluefin 42.20251021.1)
  • Architecture: x86-64
  • Version: 4dd65eeb