Add ssh.forwardAgent setting to Connect (#46798)

docs/pages/connect-your-client/teleport-connect.mdx

@@ -478,6 +478,7 @@ Below is the list of the supported config properties.
 | `keymap.openSearchBar`        | `Command+K` on macOS<br/>`Ctrl+Shift+K` on Windows/Linux                                                             | Shortcut to open the search bar.                                                                           |
 | `headless.skipConfirm`        | false                                                                                                                | Skips the confirmation prompt for Headless WebAuthn approval and instead prompts for WebAuthn immediately. |
 | `ssh.noResume`                | false                                                                                                                | Disables SSH connection resumption.                                                                        |
+| `ssh.forwardAgent`            | true                                                                                                                 | Enables agent forwarding.                                                                                  |
 
 <Admonition
   type="note"

web/packages/teleterm/src/services/config/appConfigSchema.ts

@@ -188,6 +188,12 @@ export const createAppConfigSchema = (settings: RuntimeSettings) => {
       .boolean()
       .default(false)
       .describe('Disables SSH connection resumption.'),
+    'ssh.forwardAgent': z
+      .boolean()
+      .default(true)
+      .describe(
+        "Enables agent forwarding when connecting to SSH nodes. It's the equivalent of the forward-agent flag in tsh ssh."
+      ),
   });
 };
 

web/packages/teleterm/src/services/pty/ptyHost/buildPtyOptions.test.ts

@@ -25,6 +25,7 @@ import {
   TshLoginCommand,
   GatewayCliClientCommand,
   PtyProcessCreationStatus,
+  SshOptions,
 } from '../types';
 
 import { getPtyProcessOptions, buildPtyOptions } from './buildPtyOptions';
@@ -37,6 +38,12 @@ jest.mock('./resolveShellEnv', () => ({
   resolveShellEnvCached: () => Promise.resolve({}),
 }));
 
+const makeSshOptions = (options: Partial<SshOptions> = {}): SshOptions => ({
+  noResume: false,
+  forwardAgent: false,
+  ...options,
+});
+
 describe('getPtyProcessOptions', () => {
   describe('pty.gateway-cli-client', () => {
     it('merges process env with the env from cmd', () => {
@@ -60,7 +67,7 @@ describe('getPtyProcessOptions', () => {
         settings: makeRuntimeSettings(),
         options: {
           customShellPath: '',
-          ssh: { noResume: false },
+          ssh: makeSshOptions(),
           windowsPty: { useConpty: true },
         },
         cmd: cmd,
@@ -95,7 +102,7 @@ describe('getPtyProcessOptions', () => {
         settings: makeRuntimeSettings(),
         options: {
           customShellPath: '',
-          ssh: { noResume: false },
+          ssh: makeSshOptions(),
           windowsPty: { useConpty: true },
         },
         cmd: cmd,
@@ -127,7 +134,7 @@ describe('getPtyProcessOptions', () => {
         settings: makeRuntimeSettings(),
         options: {
           customShellPath: '',
-          ssh: { noResume: true },
+          ssh: makeSshOptions({ noResume: true }),
           windowsPty: { useConpty: true },
         },
         cmd: cmd,
@@ -137,6 +144,66 @@ describe('getPtyProcessOptions', () => {
 
       expect(args).toContain('--no-resume');
     });
+
+    it('enables agent forwarding on tsh ssh invocations if the option is set', () => {
+      const processEnv = {
+        processExclusive: 'process',
+        shared: 'fromProcess',
+      };
+      const cmd: TshLoginCommand = {
+        kind: 'pty.tsh-login',
+        clusterName: 'bar',
+        proxyHost: 'baz',
+        login: 'bob',
+        serverId: '01234567-89ab-cdef-0123-456789abcdef',
+        rootClusterId: 'baz',
+        leafClusterId: undefined,
+      };
+
+      const { args } = getPtyProcessOptions({
+        settings: makeRuntimeSettings(),
+        options: {
+          customShellPath: '',
+          ssh: makeSshOptions({ forwardAgent: true }),
+          windowsPty: { useConpty: true },
+        },
+        cmd: cmd,
+        env: processEnv,
+        shellBinPath: '/bin/zsh',
+      });
+
+      expect(args).toContain('--forward-agent');
+    });
+
+    it('does not enable agent forwarding on tsh ssh invocations if the option is not set', () => {
+      const processEnv = {
+        processExclusive: 'process',
+        shared: 'fromProcess',
+      };
+      const cmd: TshLoginCommand = {
+        kind: 'pty.tsh-login',
+        clusterName: 'bar',
+        proxyHost: 'baz',
+        login: 'bob',
+        serverId: '01234567-89ab-cdef-0123-456789abcdef',
+        rootClusterId: 'baz',
+        leafClusterId: undefined,
+      };
+
+      const { args } = getPtyProcessOptions({
+        settings: makeRuntimeSettings(),
+        options: {
+          customShellPath: '',
+          ssh: makeSshOptions({ forwardAgent: false }),
+          windowsPty: { useConpty: true },
+        },
+        cmd: cmd,
+        env: processEnv,
+        shellBinPath: '/bin/zsh',
+      });
+
+      expect(args).not.toContain('--forward-agent');
+    });
   });
 });
 
@@ -162,7 +229,7 @@ describe('buildPtyOptions', () => {
       }),
       options: {
         customShellPath: '',
-        ssh: { noResume: false },
+        ssh: makeSshOptions(),
         windowsPty: { useConpty: true },
       },
       cmd,
@@ -189,7 +256,7 @@ describe('buildPtyOptions', () => {
       settings: makeRuntimeSettings(),
       options: {
         customShellPath: '/custom/shell/path/better-shell',
-        ssh: { noResume: false },
+        ssh: makeSshOptions(),
         windowsPty: { useConpty: true },
       },
       cmd,
@@ -216,7 +283,7 @@ describe('buildPtyOptions', () => {
       settings: makeRuntimeSettings(),
       options: {
         customShellPath: '',
-        ssh: { noResume: false },
+        ssh: makeSshOptions(),
         windowsPty: { useConpty: true },
       },
       cmd,
@@ -253,7 +320,7 @@ describe('buildPtyOptions', () => {
       }),
       options: {
         customShellPath: '',
-        ssh: { noResume: false },
+        ssh: makeSshOptions(),
         windowsPty: { useConpty: true },
       },
       cmd,

web/packages/teleterm/src/services/pty/ptyHost/buildPtyOptions.ts

@@ -212,7 +212,7 @@ export function getPtyProcessOptions({
         `--proxy=${cmd.rootClusterId}`,
         'ssh',
         ...(options.ssh.noResume ? ['--no-resume'] : []),
-        '--forward-agent',
+        ...(options.ssh.forwardAgent ? ['--forward-agent'] : []),
         loginHost,
       ];
 

web/packages/teleterm/src/services/pty/ptyService.ts

@@ -43,7 +43,10 @@ export function createPtyService(
       const { processOptions, creationStatus, shell } = await buildPtyOptions({
         settings: runtimeSettings,
         options: {
-          ssh: { noResume: configService.get('ssh.noResume').value },
+          ssh: {
+            noResume: configService.get('ssh.noResume').value,
+            forwardAgent: configService.get('ssh.forwardAgent').value,
+          },
           customShellPath: configService.get('terminal.customShell').value,
           windowsPty,
         },

web/packages/teleterm/src/services/pty/types.ts

@@ -123,6 +123,10 @@ export type SshOptions = {
    * (by adding the `--no-resume` option).
    */
   noResume: boolean;
+  /**
+   * Enables agent forwarding when running `tsh ssh` by adding the --forward-agent option.
+   */
+  forwardAgent: boolean;
 };
 
 export type TerminalOptions = {