pkg/driver/vz: Try SSH handshake to check if SSH port is available. #4337
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
norio-nomura
force-pushed
the
vz-ssh-over-vsock-try-handshake
branch
2 times, most recently
from
6e095ed to
16b4782
Compare
Check the SSH server in a way that complies with the SSH protocol using x/crypto/ssh. This change fixes lima-vm#4334 by falling back to usernet port forwarder on failing SSH connections over VSOCK. - pkg/networks/usernet: Rename entry point from `/extension/wait_port` to `/extension/wait_ssh_server` Because it changed to an SSH server-specific entry point. When a client accesses the old entry point, it fails and continues with falling back to the usernet forwarder. - pkg/sshutil: Add `WaitSSHReady()` WaitSSHReady waits until the SSH server is ready to accept connections. The dialContext function is used to create a connection to the SSH server. The addr, user, privateKeyPath parameter is used for ssh.ClientConn creation. The timeoutSeconds parameter specifies the maximum number of seconds to wait. Signed-off-by: Norio Nomura <norio.nomura@gmail.com>
norio-nomura
force-pushed
the
vz-ssh-over-vsock-try-handshake
branch
from
16b4782 to
8ca744e
Compare
Contributor
Author
This change changes the SSH server keys that have been generated for each boot in guest OS to be generated by hostagent for each boot. This allows the hostagent to obtain the public key before booting, so that knownhosts can be used with an ssh connection. The code that uses `ssh.InsecureIgnoreHostKey()` in `x/crypto/ssh` is pointed out in CodeQL as `Use of insecure HostKeyCallback implementation (High)`, so it is an implementation to avoid this. Signed-off-by: Norio Nomura <norio.nomura@gmail.com>
norio-nomura
force-pushed
the
vz-ssh-over-vsock-try-handshake
branch
from
ea93616 to
0250449
Compare
Contributor
Author
|
Following change added to avoid CodeQL error:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Check the SSH server in a way that complies with the SSH protocol using x/crypto/ssh. This change fixes #4334 by falling back to usernet port forwarder on failing SSH connections over VSOCK.
pkg/networks/usernet: Rename entry point from
/extension/wait_portto/extension/wait_ssh_serverBecause it changed to an SSH server-specific entry point. When a client accesses the old entry point, it fails and continues with falling back to the usernet forwarder.pkg/sshutil: Add
WaitSSHReady()WaitSSHReady waits until the SSH server is ready to accept connections. The dialContext function is used to create a connection to the SSH server. The addr, user, privateKeyPath parameter is used for ssh.ClientConn creation. The timeoutSeconds parameter specifies the maximum number of seconds to wait.feat: Generate SSH server keys in host agent and use them in guest OS
This change changes the SSH server keys that have been generated for each boot in guest OS to be generated by hostagent for each boot.
This allows the hostagent to obtain the public key before booting, so that knownhosts can be used with an ssh connection.
The code that uses
ssh.InsecureIgnoreHostKey()inx/crypto/sshis pointed out in CodeQL asUse of insecure HostKeyCallback implementation (High), so it is an implementation to avoid this.