Disable SSH agent when a tunnel identity file/password is provided (#9814)#10044
Disable SSH agent when a tunnel identity file/password is provided (#9814)#10044dpage wants to merge 1 commit into
Conversation
|
Warning Review limit reached
More reviews will be available in 7 minutes and 19 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
dpage
force-pushed
the
fix-9814-ssh-allow-agent
branch
2 times, most recently
from
cd68648 to
634f60f
Compare
…n-org#9814 SSHTunnelForwarder was called without allow_agent, which defaults to True in sshtunnel/paramiko, so the SSH agent was always probed even when the user supplied an identity file or password - causing repeated agent authentication attempts/denials. Pass allow_agent=False on both the identity-file and password code paths. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dpage
force-pushed
the
fix-9814-ssh-allow-agent
branch
from
634f60f to
4f91c17
Compare
There was a problem hiding this comment.
Pull request overview
Fixes pgAdmin SSH-tunnel authentication behavior by preventing Paramiko/sshtunnel from probing the user’s SSH agent when explicit tunnel credentials (identity file or password) are intended to be used, avoiding repeated agent authentication prompts/denials (Issue #9814).
Changes:
- Pass
allow_agent=FalsetoSSHTunnelForwarder(...)for both identity-file and password tunnel authentication paths. - Add a v9.16 release note entry referencing Issue #9814.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| web/pgadmin/utils/driver/psycopg3/server_manager.py | Disables SSH-agent probing for SSH tunnel creation by adding allow_agent to the tunnel forwarder initialization. |
| docs/en_US/release_notes_9_16.rst | Documents the fix in the v9.16 bug fixes section. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| (self.tunnel_host, int(self.tunnel_port)), | ||
| ssh_username=self.tunnel_username, | ||
| ssh_password=tunnel_password, | ||
| allow_agent=False, | ||
| remote_bind_address=(self.host, self.port), |
Summary
Fixes #9814.
When connecting through an SSH tunnel with an explicit identity file or password, pgAdmin still probed the SSH agent, causing repeated authentication attempts/denials (and prompts) from the agent.
Root cause:
SSHTunnelForwarder(...)was called withoutallow_agent, which defaults toTruein sshtunnel/paramiko.Fix: pass
allow_agent=Falseon both tunnel auth paths (identity file and password), since the user has explicitly supplied credentials.🤖 Generated with Claude Code