From 2c04d6e5fade3076dd8f11f91d0543b6ebd6b860 Mon Sep 17 00:00:00 2001
From: Lachlan Donald <lachlan@ljd.cc>
Date: Sun, 5 Oct 2025 20:59:19 +1100
Subject: [PATCH] fix: use SSH_CONNECTION to detect forwarded agents
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Check SSH_CONNECTION instead of SSH_AUTH_SOCK to determine if we're in an
SSH session. This handles the case where SSH_AUTH_SOCK is set to a system
agent that doesn't have the needed keys.

Logic:
- SSH_CONNECTION empty (local machine) → Use 1Password IdentityAgent
- SSH_CONNECTION set (SSH session) → Skip IdentityAgent, use forwarded agent

Match host * exec "sh -c 'test -z \"$SSH_CONNECTION\"'"
  IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

This ensures:
- Local sessions always use 1Password
- ssh -A properly uses forwarded agent
- GUI apps use 1Password
---
 ssh/config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssh/config b/ssh/config
index 71126a4..f386da7 100644
--- a/ssh/config
+++ b/ssh/config
@@ -13,6 +13,6 @@ Host *
   ForwardAgent no
   StrictHostKeyChecking=accept-new
 
-# 1Password agent - only when no agent is already available (e.g., from forwarding)
-Match host * exec "test -z \"$SSH_AUTH_SOCK\""
+# 1Password agent - use unless in SSH session (forwarded agent)
+Match host * exec "sh -c 'test -z \"$SSH_CONNECTION\"'"
   IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"