authfd: fallback to default if $SSH_AUTH_SOCK is unset (!35) · Merge requests · Debian SSH Maintainers / openssh

Nick Rosbrook requested to merge enr0n/openssh:ssh-agent-socket-fallback into master Sep 26, 2025

Recent changes surrounding socket-activated ssh-agent have regressed users, because SSH_AUTH_SOCK is unset in environments where it was previously.

The new ssh-agent.socket uses systemctl --user set-environment, but in the general case, this does not propagate to user sessions as intended. For processes spawned by the systemd user manager, it does work. But, if the user session was spawned e.g. by login, this will not work.

As a quick fix, adapt ssh_get_authentication_socket() to fallback to the default, $XDG_RUNTIME_DIR/openssh_agent if $SSH_AUTH_SOCK is unset. This is imperfect, because if a user configures a different socket path, e.g. by overriding ListenStream= in ssh-agent.socket, then the fallback will fail.

Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2125549

authfd: fallback to default if $SSH_AUTH_SOCK is unset

Merge request reports