pkg/hostagent: Use in-process SSH client on executing requirement scripts #4333
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
This change aims to avoid error: |
norio-nomura
force-pushed
the
use-in-process-ssh-client-to-requirement
branch
from
6f82138 to
bfad23e
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
norio-nomura
force-pushed
the
use-in-process-ssh-client-to-requirement
branch
3 times, most recently
from
7ac972c to
19da4f8
Compare
norio-nomura
force-pushed
the
use-in-process-ssh-client-to-requirement
branch
2 times, most recently
from
75df537 to
11f5967
Compare
Contributor
Author
This error no longer occurs, but instead ssh connection is no longer possible in macOS+QEMU. 😞 |
norio-nomura
force-pushed
the
use-in-process-ssh-client-to-requirement
branch
7 times, most recently
from
776ff21 to
9e82e1a
Compare
norio-nomura
force-pushed
the
use-in-process-ssh-client-to-requirement
branch
6 times, most recently
from
f82a400 to
8f0d92e
Compare
Contributor
Author
Contributor
Author
norio-nomura
force-pushed
the
use-in-process-ssh-client-to-requirement
branch
from
8f0d92e to
ad1aad8
Compare
Contributor
Author
|
https://github.com/lima-vm/alpine-lima does not support |
norio-nomura
force-pushed
the
use-in-process-ssh-client-to-requirement
branch
from
ad1aad8 to
8f0b3eb
Compare
| sshConfig := &ssh.ClientConfig{ | ||
| User: user, | ||
| Auth: []ssh.AuthMethod{ssh.PublicKeys(signer)}, | ||
| HostKeyCallback: ssh.InsecureIgnoreHostKey(), // lgtm[go/insecure-hostkeycallback] |
Check failure
Code scanning / CodeQL
Use of insecure HostKeyCallback implementation
| sshConfig := &ssh.ClientConfig{ | ||
| User: user, | ||
| Auth: []ssh.AuthMethod{ssh.PublicKeys(signer)}, | ||
| HostKeyCallback: ssh.InsecureIgnoreHostKey(), // lgtm[go/insecure-hostkeycallback] |
Check failure
Code scanning / CodeQL
Use of insecure HostKeyCallback implementation
Check the SSH server in a way that complies with the SSH protocol using x/crypto/ssh. This change fixes lima-vm#4334 by falling back to usernet port forwarder on failing SSH connections over VSOCK. - pkg/networks/usernet: Rename entry point from `/extension/wait_port` to `/extension/wait_ssh_server` Because it changed to an SSH server-specific entry point. When a client accesses the old entry point, it fails and continues with falling back to the usernet forwarder. - pkg/sshutil: Add `WaitSSHReady()` WaitSSHReady waits until the SSH server is ready to accept connections. The dialContext function is used to create a connection to the SSH server. The addr, user, privateKeyPath parameter is used for ssh.ClientConn creation. The timeoutSeconds parameter specifies the maximum number of seconds to wait. Signed-off-by: Norio Nomura <[email protected]>
This change changes the SSH server keys that have been generated for each boot in guest OS to be generated by hostagent for each boot. This allows the hostagent to obtain the public key before booting, so that knownhosts can be used with an ssh connection. The code that uses `ssh.InsecureIgnoreHostKey()` in `x/crypto/ssh` is pointed out in CodeQL as `Use of insecure HostKeyCallback implementation (High)`, so it is an implementation to avoid this. Signed-off-by: Norio Nomura <[email protected]>
…ipts Use an in-process SSH client on executing requirement scripts other than starting an SSH ControlMaster process. To fall back to external SSH, add the `LIMA_EXTERNAL_SSH_REQUIREMENT` environment variable. - pkg/sshutil: Add `ExecuteScriptViaInProcessClient()` Signed-off-by: Norio Nomura <[email protected]> # Conflicts: # pkg/sshutil/sshutil.go # Conflicts: # pkg/sshutil/sshutil.go
Signed-off-by: Norio Nomura <[email protected]>
…cmdline `template:` refers to installed templates. So, it needs to be injected before executing `make install`. Signed-off-by: Norio Nomura <[email protected]>
…ForSSH()`" This reverts commit 5fde2e3. Signed-off-by: Norio Nomura <[email protected]>
Signed-off-by: Norio Nomura <[email protected]>
norio-nomura
force-pushed
the
use-in-process-ssh-client-to-requirement
branch
from
8047ecc to
0c13e06
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use an in-process SSH client on executing requirement scripts other than starting an SSH ControlMaster process. To fall back to external SSH, add the
LIMA_EXTERNAL_SSH_REQUIREMENTenvironment variable.ExecuteScriptViaInProcessClient()