From f894bc4ffde179d178d8deb374fcf9855d1a82b7 Mon Sep 17 00:00:00 2001
From: Benedikt Rips <benedikt.rips@gmail.com>
Date: Sat, 3 Jan 2026 16:39:25 +0100
Subject: [PATCH] ssh-agent: improve handling of SSH_AUTH_SOCK variable

Specifically, only preserve `$SSH_AUTH_SOCK` when it points to a
forwarded agent.
---
 modules/services/ssh-agent.nix | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/modules/services/ssh-agent.nix b/modules/services/ssh-agent.nix
index 1e443d4b..6a0e2f61 100644
--- a/modules/services/ssh-agent.nix
+++ b/modules/services/ssh-agent.nix
@@ -57,18 +57,19 @@ in
               else
                 "$XDG_RUNTIME_DIR/${cfg.socket}";
 
+            # Preserve $SSH_AUTH_SOCK only if it stems from a forwarded agent,
+            # which is the case if both $SSH_AUTH_SOCK and $SSH_CONNECTION are
+            # set.
             bashIntegration = ''
-              if [ -z "$SSH_AUTH_SOCK" ]; then
+              if [ -z "$SSH_AUTH_SOCK" -o -z "$SSH_CONNECTION" ]; then
                 export SSH_AUTH_SOCK=${socketPath}
               fi
             '';
-
             fishIntegration = ''
-              if test -z "$SSH_AUTH_SOCK"
+              if test -z "$SSH_AUTH_SOCK"; or test -z "$SSH_CONNECTION"
                 set -x SSH_AUTH_SOCK ${socketPath}
               end
             '';
-
             nushellIntegration =
               let
                 unsetOrEmpty = var: ''("${var}" not-in $env) or ($env.${var} | is-empty)'';
@@ -79,7 +80,7 @@ in
                     ''$"($env.XDG_RUNTIME_DIR)/${cfg.socket}"'';
               in
               ''
-                if ${unsetOrEmpty "SSH_AUTH_SOCK"} {
+                if ${unsetOrEmpty "SSH_AUTH_SOCK"} or ${unsetOrEmpty "SSH_CONNECTION"} {
                   $env.SSH_AUTH_SOCK = ${socketPath}
                 }
               '';