fix: SSH Agent auth falls back to key file when agent has no loaded identities (#729) (#741)

datlechin · web-flow · commit 157a640d81a2 · 2026-04-14T11:51:08.000+07:00
* fix: SSH Agent auth falls back to key file when agent has no loaded identities (#729) * fix: use URL APIs for default SSH key path construction
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - Fix AI chat hanging the app during streaming, schema fetch, and conversation loading (#735)
+- SSH Agent auth: fall back to key file from `~/.ssh/config` or default paths when agent has no loaded identities (#729)
 - SSH-tunneled connections failing to reconnect after idle/sleep — health monitor now rebuilds the tunnel, OS-level TCP keepalive detects dead NAT mappings, and wake-from-sleep triggers immediate validation (#736)
 
 ## [0.31.4] - 2026-04-14
diff --git a/TablePro/Core/SSH/LibSSH2TunnelFactory.swift b/TablePro/Core/SSH/LibSSH2TunnelFactory.swift
@@ -493,15 +493,26 @@ internal enum LibSSH2TunnelFactory {
 
         case .sshAgent:
             let socketPath = config.agentSocketPath.isEmpty ? nil : config.agentSocketPath
-            let primary = AgentAuthenticator(socketPath: socketPath)
+            var authenticators: [any SSHAuthenticator] = [AgentAuthenticator(socketPath: socketPath)]
+
+            // Fallback: try key file if agent has no loaded identities
+            if let keyPath = resolveIdentityFile(config: config) {
+                authenticators.append(PublicKeyAuthenticator(
+                    privateKeyPath: keyPath,
+                    passphrase: credentials.keyPassphrase
+                ))
+            }
+
             if config.totpMode != .none {
-                let totpAuth = KeyboardInteractiveAuthenticator(
+                authenticators.append(KeyboardInteractiveAuthenticator(
                     password: nil,
                     totpProvider: buildTOTPProvider(config: config, credentials: credentials)
-                )
-                return CompositeAuthenticator(authenticators: [primary, totpAuth])
+                ))
             }
-            return primary
+
+            return authenticators.count == 1
+                ? authenticators[0]
+                : CompositeAuthenticator(authenticators: authenticators)
 
         case .keyboardInteractive:
             let totpProvider = buildTOTPProvider(config: config, credentials: credentials)
@@ -520,10 +531,47 @@ internal enum LibSSH2TunnelFactory {
                 passphrase: nil
             )
         case .sshAgent:
-            return AgentAuthenticator(socketPath: nil)
+            let agent = AgentAuthenticator(socketPath: nil)
+            if !jumpHost.privateKeyPath.isEmpty {
+                let keyAuth = PublicKeyAuthenticator(
+                    privateKeyPath: jumpHost.privateKeyPath,
+                    passphrase: nil
+                )
+                return CompositeAuthenticator(authenticators: [agent, keyAuth])
+            }
+            return agent
         }
     }
 
+    /// Resolve an identity file path for agent auth fallback.
+    /// Priority: user-configured path > ~/.ssh/config IdentityFile > default key paths.
+    private static func resolveIdentityFile(config: SSHConfiguration) -> String? {
+        if !config.privateKeyPath.isEmpty {
+            return config.privateKeyPath
+        }
+
+        if let entry = SSHConfigParser.findEntry(for: config.host),
+           let identityFile = entry.identityFile,
+           !identityFile.isEmpty {
+            return identityFile
+        }
+
+        let sshDir = FileManager.default.homeDirectoryForCurrentUser
+            .appendingPathComponent(".ssh", isDirectory: true)
+        let defaultPaths = [
+            sshDir.appendingPathComponent("id_ed25519").path,
+            sshDir.appendingPathComponent("id_rsa").path,
+            sshDir.appendingPathComponent("id_ecdsa").path
+        ]
+        for path in defaultPaths {
+            if FileManager.default.isReadableFile(atPath: path) {
+                return path
+            }
+        }
+
+        return nil
+    }
+
     private static func buildTOTPProvider(
         config: SSHConfiguration,
         credentials: SSHTunnelCredentials
