sshutil: detect Win32-OpenSSH version, export PathForSSH

jandubois · jandubois · commit bc99aca86318 · 2026-04-24T14:31:05.000-07:00
Two related changes used together by callers that talk to the ssh
family of binaries on Windows:

ParseOpenSSHVersion: also match "OpenSSH_for_Windows_X.YpZ" (the version
banner emitted by native Windows OpenSSH). Previously the regex required
a digit immediately after "OpenSSH_", so Win32-OpenSSH was misdetected
as version 0.0.0 and Lima then treated it as pre-8.0 legacy ssh in code
paths that branch on the version (e.g. scp URL form).

PathForSSH: rename from the previously unexported pathForSSH and export
it. copytool.parseCopyPaths needs the same path-translation logic, and
duplicating the cygpath-vs-native decision in two packages would invite
drift.

Add a test for the Win32-OpenSSH version banner.

Signed-off-by: Jan Dubois &lt;jan.dubois@suse.com&gt;
diff --git a/pkg/sshutil/sshutil.go b/pkg/sshutil/sshutil.go
@@ -90,14 +90,14 @@ func IsSSHCygwin(sshExe SSHExe) bool {
 	return err == nil
 }
 
-// pathForSSH converts orig to the path form expected by the ssh and ssh-keygen
-// binaries that Lima will invoke. On non-Windows the path is returned unchanged.
-// On Windows:
+// PathForSSH converts orig to the path form expected by the ssh family of
+// binaries (ssh, ssh-keygen, scp, sftp, rsync-over-ssh) that Lima will invoke.
+// On non-Windows the path is returned unchanged. On Windows:
 //   - For Cygwin-based ssh (Git for Windows, MSYS2): runs cygpath to produce a
 //     Cygwin-style path like /c/Users/...
 //   - For native Windows OpenSSH: returns the path with forward slashes
-//     (e.g. C:/Users/...), which native ssh-keygen and ssh accept.
-func pathForSSH(ctx context.Context, sshExe SSHExe, orig string) (string, error) {
+//     (e.g. C:/Users/...), which native ssh, ssh-keygen, and scp accept.
+func PathForSSH(ctx context.Context, sshExe SSHExe, orig string) (string, error) {
 	if runtime.GOOS != "windows" {
 		return orig, nil
 	}
@@ -152,7 +152,7 @@ func DefaultPubKeys(ctx context.Context, loadDotSSH bool) ([]PubKey, error) {
 				if sshErr != nil {
 					return sshErr
 				}
-				privPath, err = pathForSSH(ctx, sshExe, privPath)
+				privPath, err = PathForSSH(ctx, sshExe, privPath)
 				if err != nil {
 					return err
 				}
@@ -328,7 +328,7 @@ func CommonOpts(ctx context.Context, sshExe SSHExe, useDotSSH bool) ([]string, e
 
 func identityFileEntry(ctx context.Context, sshExe SSHExe, privateKeyPath string) (string, error) {
 	if runtime.GOOS == "windows" {
-		privateKeyPath, err := pathForSSH(ctx, sshExe, privateKeyPath)
+		privateKeyPath, err := PathForSSH(ctx, sshExe, privateKeyPath)
 		if err != nil {
 			return "", err
 		}
@@ -386,7 +386,7 @@ func SSHOpts(ctx context.Context, sshExe SSHExe, instDir, username string, useDo
 	}
 	controlPath := fmt.Sprintf(`ControlPath="%s"`, controlSock)
 	if runtime.GOOS == "windows" {
-		controlSock, err = pathForSSH(ctx, sshExe, controlSock)
+		controlSock, err = PathForSSH(ctx, sshExe, controlSock)
 		if err != nil {
 			return nil, err
 		}
@@ -430,7 +430,10 @@ func SSHOptsRemovingControlPath(opts []string) []string {
 }
 
 func ParseOpenSSHVersion(version []byte) *semver.Version {
-	regex := regexp.MustCompile(`(?m)^OpenSSH_(\d+\.\d+)(?:p(\d+))?\b`)
+	// Matches "OpenSSH_8.4p1 ..." (upstream) and "OpenSSH_for_Windows_9.5p2 ..."
+	// (Win32-OpenSSH). The optional "_for_Windows" prefix is recognized so native
+	// Windows OpenSSH is not misdetected as version 0.0.0.
+	regex := regexp.MustCompile(`(?m)^OpenSSH(?:_for_Windows)?_(\d+\.\d+)(?:p(\d+))?\b`)
 	matches := regex.FindSubmatch(version)
 	if len(matches) == 3 {
 		if len(matches[2]) == 0 {
diff --git a/pkg/sshutil/sshutil_test.go b/pkg/sshutil/sshutil_test.go
@@ -33,6 +33,9 @@ func TestParseOpenSSHVersion(t *testing.T) {
 	// NixOS 25.05
 	assert.Check(t, ParseOpenSSHVersion([]byte(`command-line line 0: Unsupported option "gssapiauthentication"
 OpenSSH_10.0p2, OpenSSL 3.4.1 11 Feb 2025`)).Equal(*semver.New("10.0.2")))
+
+	// Native Windows OpenSSH (Win32-OpenSSH)
+	assert.Check(t, ParseOpenSSHVersion([]byte("OpenSSH_for_Windows_9.5p2, LibreSSL 3.8.2")).Equal(*semver.New("9.5.2")))
 }
 
 func TestParseOpenSSHGSSAPISupported(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,9 @@ func TestParseOpenSSHVersion(t *testing.T) {`
`33`	`33`	`// NixOS 25.05`
`34`	`34`	assert.Check(t, ParseOpenSSHVersion([]byte(`command-line line 0: Unsupported option "gssapiauthentication"
`35`	`35`	OpenSSH_10.0p2, OpenSSL 3.4.1 11 Feb 2025`)).Equal(*semver.New("10.0.2")))
	`36`	`+`
	`37`	`+ // Native Windows OpenSSH (Win32-OpenSSH)`
	`38`	`+ assert.Check(t, ParseOpenSSHVersion([]byte("OpenSSH_for_Windows_9.5p2, LibreSSL 3.8.2")).Equal(*semver.New("9.5.2")))`
`36`	`39`	`}`
`37`	`40`
`38`	`41`	`func TestParseOpenSSHGSSAPISupported(t *testing.T) {`