Chaining Remote-SSH + Dev Container breaks git credentials forwarding

[jellllly420]

Description

I have a MacBook and a Ubuntu laptop. I tried to use Remote-SSH extension from Mac to connect to the Ubuntu and then use the Docker extension to attach to a container hosted on the Ubuntu laptop. I expected the git credentials to be correctly forwarded from my Mac to the remote container. However, none of them succeeded.

~# ssh -T [email protected]
[email protected]: Permission denied (publickey).
~# echo "test" | gpg --clear-sign -vvv
gpg: using character set 'iso-8859-1'
gpg: connection to agent is in restricted mode
gpg: using pgp trust model
gpg: key E1C718EF067E5BFD: accepted as trusted key
gpg: writing to stdout
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

test
gpg: signing failed: No such file or directory
gpg: [stdin]: clear-sign failed: No such file or directory

In the window attached to the remote container, gpg -k gives me exactly the same lists of keys on the Ubuntu laptop but not the Mac and ~/.ssh/ directory contains nothing but a know_hosts file whose contents also come from the Ubuntu host. Another weird thing here is that the gpg keys on the Mac is a strict subset of those on the Ubuntu so GPG should succeed though it's getting keys from the wrong host; I suspect it's related to pinentry stuff but I'm not sure.

I also tried the following combination ("->" means "connect to"):

• Mac -> Mac-local Docker container,
• Ubuntu -> Ubuntu-local Docker container,

and they all worked well, SSH OK, GPG OK.

Environment

• VSCode Version: 1.99.0 4437686ffebaf200fa4a6e6e67f735f3edf24ada arm64
• Local OS Version: macOS Sequoia 15.4
• Remote OS Version: Ubuntu oracular 24.10 x86_64 (Linux 6.11.0-21-generic)
• Remote Extension/Connection Type: Dev Containers - VS Code Server
• Logs: https://gist.github.com/jellllly420/8f85e0189ee9ce60366c46c037e6e115

Steps to Reproduce

1. Mac "Remote-SSH" to a Ubuntu host
2. Mac "Dev Containers" to a Docker container hosted on the ssh-ed Ubuntu
3. Try SSH or GPG

Does this issue occur when you try this locally?: No
Does this issue occur when you try this locally and all extensions are disabled?: Yes

[chrmarti]

When gpg / ssh are available on the intermediate host (Ubuntu in this case), these will be used. Since it works when connecting locally on the Ubuntu machine, I would also expect it to work when using Remote-SSH from the Mac.

Please append the Dev Containers log from when this happens. (F1 > Dev Containers: Show Container Log)

[jellllly420]

When gpg / ssh are available on the intermediate host (Ubuntu in this case), these will be used. Since it works when connecting locally on the Ubuntu machine, I would also expect it to work when using Remote-SSH from the Mac.

So getting credentials from the intermediate host is a desired behavior? That's surprising since I would expect the extension always getting credentials from the machine where I actually open a VSCode window and operate on (here the Mac). Anyway it doesn't work now even if it's the desired behavior.

Logs: https://gist.github.com/jellllly420/8f85e0189ee9ce60366c46c037e6e115

The log was already provided here. Please let me know if you need other infomation.

[chrmarti]

Seeing:

[1951 ms] ssh-agent: SSH_AUTH_SOCK in container (/tmp/vscode-ssh-auth-c4277106-c631-4fef-a26d-d9bd77e19180.sock) forwarded to local host (/private/tmp/com.apple.launchd.5VwMUmB84b/Listeners).

[2310 ms] gpg-agent: Socket in container (/root/.gnupg/S.gpg-agent) forwarded to remote host (/run/user/1000/gnupg/S.gpg-agent.extra).

I would expect gpg --list-secret-keys in the dev container to show the secret keys from the SSH server. Can you run that and also try to use ssh to connect to some other host and then share the log again?

[vs-code-engineering]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!