VSCode’s SSH Agent Is Bananas

Source: fly.io Date: 2025-02-12 URL: https://fly.io/blog/vscode-ssh-wtf/

Summary

Technical critique essay by Ptacek examining VSCode’s remote SSH agent architecture. Unlike Emacs’s Tramp (which uses shell capabilities already present on the remote), VSCode deploys a Bash stager that downloads a Node.js binary agent with broad permissions (filesystem, process launching, self-persistence) over port-forwarded SSH/WebSocket. The framing is security-critical: the agent’s privilege model resembles malware more than a development tool, which matters in production environments.

Implications

Agentic engineering patterns / edge deployment economics. The critique is relevant beyond VSCode: it surfaces the security trade-off in any “agent that runs inside a machine” design. Fly’s own agent products (Sprites, remote MCP servers) face the same privilege questions. The conclusion — Fly will pursue alternative approaches rather than VSCode’s model — is interesting context for how they think about agent sandboxing. The Tramp comparison points toward “minimal-footprint, shell-native” as the preferred approach, which aligns with their Sprites-as-real-computers thesis over container-based sandboxing.