ws: conditional start of ssh-agent

In unprivileged mode the label-run script should respect an already existing set SSH_AUTH_SOCK env.
cockpit-project · Oct 31, 2024 · 1e1ec40 · 1e1ec40
1 parent b66d6c8
commit 1e1ec40
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/containers/ws/README.md b/containers/ws/README.md
@@ -119,6 +119,10 @@ You can also mount encrypted private keys inside the container. You can set an e
 
 Private keys can be encrypted; then cockpit uses the provided password to decrypt the key.
 
+### SSH_AUTH_SOCK
+
+By default the container starts its own ssh-agent. Alternatively `SSH_AUTH_SOCK` environment variable can be set to surpress starting ssh-agent.
+
 ## More Info
 
  * [Cockpit Project](https://cockpit-project.org)

diff --git a/containers/ws/label-run b/containers/ws/label-run
@@ -42,6 +42,8 @@ else
 
     /usr/libexec/cockpit-certificate-ensure
 
-    eval $(ssh-agent)
+    if [ -z "$SSH_AUTH_SOCK" ]; then
+        eval "$(ssh-agent)"
+    fi
     exec /usr/libexec/cockpit-ws --local-ssh "$@"
 fi