feat(ssh): native SSH and key management commands#809
Merged
paulocsanz merged 14 commits intomasterfrom Mar 18, 2026
Merged
Conversation
paulocsanz
changed the title
Adds support for native SSH connections using the new flow: `ssh <serviceInstanceId>@ssh.railway.com` Changes: - Add native SSH module that uses serviceInstanceId for routing - Add SSH key management (auto-detect local keys, register with Railway) - Add GraphQL queries for SSH keys and service instances - Native SSH is used by default when local SSH keys exist - Add --relay flag to force WebSocket fallback mode The native SSH flow: 1. Checks for local SSH keys (~/.ssh/id_*.pub) 2. Ensures key is registered with Railway (prompts or auto-registers) 3. Gets serviceInstanceId via GraphQL 4. Runs ssh <serviceInstanceId>@ssh.railway.com
Railway's SSH proxy doesn't forward exec commands through the QUIC tunnel, so command execution requires relay mode. Native SSH is now only used for interactive shells where it works correctly. - Commands use relay mode (railway ssh <command>) - Interactive shells use native SSH (railway ssh) - Tmux sessions continue using relay mode
Display the SSH key path when connecting to help users understand which key is being used for authentication.
- Remove unused run_native_ssh_with_tmux (exec commands not supported) - Remove unused find_registered_local_key and ensure_ssh_key_registered - Fix &PathBuf -> &Path clippy warnings - Keep tmux sessions using WebSocket relay since SSH exec isn't supported
- Dynamically scans ~/.ssh/ directory for all .pub files - Filters to supported key types (ed25519, ecdsa, rsa, dss) - Sorts by key type preference (ed25519 first)
- Add `railway ssh keys` to list registered SSH keys - Add `railway ssh keys add` to register a local key - Add `railway ssh keys remove` to delete a registered key - Shows which local keys match registered keys - Supports 2FA for key deletion
Add `railway ssh keys` command with subcommands: - `list` (default): Show registered, GitHub, and local SSH keys - `add`: Register a local SSH key with Railway - `remove`: Delete a registered SSH key - `github`: Import SSH keys from GitHub account Also removes unused LogFormat::Simple variant.
WebSocket relay is now the default SSH method. Users can opt into native SSH with --native flag when they want direct SSH connections.
Pass command arguments to the ssh binary when using --native flag, enabling commands like `railway ssh --native echo hello`.
- Use validateTwoFactor mutation before delete instead of passing code to sshPublicKeyDelete - Update GraphQL mutation to remove unused code parameter - Fix 2FA error detection to be case-insensitive and match "two factor" string - Replace silent non-TTY key registration with explicit error directing user to register manually - Simplify run_native_ssh to always inherit stdio regardless of command mode
paulocsanz
force-pushed
the
paulo/native-ssh-flow
branch
from
5e2db23 to
67f6e9f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ssh <serviceInstanceId>@ssh.railway.comrailway ssh keyscommand for managing SSH keysChanges
Native SSH
--relayflag to force WebSocket fallback mode (hidden)SSH Key Management (
railway ssh keys)railway ssh keys/railway ssh keys list- List registered, GitHub, and local SSH keysrailway ssh keys add- Register a local SSH key with Railwayrailway ssh keys remove- Delete a registered SSH key (supports 2FA)railway ssh keys github- Import SSH keys from GitHub accountOther
~/.ssh/*.pubfor all local keys (not hardcoded filenames)railway sshif none registeredTest plan
railway sshopens interactive shell via native SSHrailway ssh -- "hostname"runs command via WebSocket relayrailway ssh --session mynameworks with tmux via relayrailway ssh --relayforces WebSocket relayrailway ssh keyslists all keys with detailsrailway ssh keys addregisters a local keyrailway ssh keys removedeletes a keyrailway ssh keys githubimports from GitHub