Commitf9f7f5a

blink-so[bot]

and

kylecarbs

committed

feat: add configurable SSH host key algorithm support

Adds support for configurable SSH host key algorithms to improvecompatibility with modern SSH clients like Visual Studio 2022.Changes:- Add HostKeyAlgorithm field to agentssh.Config- Implement Ed25519 key generation in CoderSigner function- Add CLI flag --ssh-host-key-algorithm with env var support- Support both 'rsa' (default) and 'ed25519' algorithms- Maintain backward compatibility with RSA as defaultResolves compatibility issues with SSH clients that no longersupport RSA host keys.Co-authored-by: kylecarbs <7122116+kylecarbs@users.noreply.github.com>

1 parentde4a270 commitf9f7f5aCopy full SHA for f9f7f5a

File tree

3 files changed

+45

-8

lines changed

agent
- agent.go
- agentssh
  - agentssh.go
cli
- agent.go

3 files changed

+45

-8

lines changed

`‎agent/agent.go`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,7 @@ type Options struct {`
`82`	`82`	`IgnorePortsmap[int]string`
`83`	`83`	`PortCacheDuration time.Duration`
`84`	`84`	`SSHMaxTimeout time.Duration`
	`85`	`+SSHHostKeyAlgorithmstring`
`85`	`86`	`TailnetListenPortuint16`
`86`	`87`	`Subsystems []codersdk.AgentSubsystem`
`87`	`88`	`PrometheusRegistry*prometheus.Registry`
`@@ -186,6 +187,7 @@ func New(options Options) Agent {`
`186`	`187`	`reportMetadataInterval:options.ReportMetadataInterval,`
`187`	`188`	`announcementBannersRefreshInterval:options.ServiceBannerRefreshInterval,`
`188`	`189`	`sshMaxTimeout:options.SSHMaxTimeout,`
	`190`	`+sshHostKeyAlgorithm:options.SSHHostKeyAlgorithm,`
`189`	`191`	`subsystems:options.Subsystems,`
`190`	`192`	`logSender:agentsdk.NewLogSender(options.Logger),`
`191`	`193`	`blockFileTransfer:options.BlockFileTransfer,`
`@@ -257,6 +259,7 @@ type agent struct {`
`257`	`259`	`sessionToken atomic.Pointer[string]`
`258`	`260`	`sshServer*agentssh.Server`
`259`	`261`	`sshMaxTimeout time.Duration`
	`262`	`+sshHostKeyAlgorithmstring`
`260`	`263`	`blockFileTransferbool`
`261`	`264`
`262`	`265`	`lifecycleUpdatechanstruct{}`
`@@ -292,6 +295,7 @@ func (a *agent) init() {`
`292`	`295`	`// pass the "hard" context because we explicitly close the SSH server as part of graceful shutdown.`
`293`	`296`	`sshSrv,err:=agentssh.NewServer(a.hardCtx,a.logger.Named("ssh-server"),a.prometheusRegistry,a.filesystem,a.execer,&agentssh.Config{`
`294`	`297`	`MaxTimeout:a.sshMaxTimeout,`
	`298`	`+HostKeyAlgorithm:a.sshHostKeyAlgorithm,`
`295`	`299`	`MOTDFile:func()string {returna.manifest.Load().MOTDFile },`
`296`	`300`	`AnnouncementBanners:func()*[]codersdk.BannerConfig {returna.announcementBanners.Load() },`
`297`	`301`	`UpdateEnv:a.updateCommandEnv,`

`‎agent/agentssh/agentssh.go`

Lines changed: 32 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,9 +3,11 @@ package agentssh`
`3`	`3`	`import (`
`4`	`4`	`"bufio"`
`5`	`5`	`"context"`
	`6`	`+"crypto/ed25519"`
`6`	`7`	`"errors"`
`7`	`8`	`"fmt"`
`8`	`9`	`"io"`
	`10`	`+"math/rand"`
`9`	`11`	`"net"`
`10`	`12`	`"os"`
`11`	`13`	`"os/exec"`
`@@ -113,6 +115,9 @@ type Config struct {`
`113`	`115`	`BlockFileTransferbool`
`114`	`116`	`// ReportConnection.`
`115`	`117`	`ReportConnectionreportConnectionFunc`
	`118`	`+// HostKeyAlgorithm specifies the SSH host key algorithm to use.`
	`119`	`+// Valid values: "rsa", "ed25519". Default: "rsa" for backward compatibility.`
	`120`	`+HostKeyAlgorithmstring`
`116`	`121`	`// Experimental: allow connecting to running containers via Docker exec.`
`117`	`122`	`// Note that this is different from the devcontainers feature, which uses`
`118`	`123`	`// subagents.`
`@@ -1312,7 +1317,11 @@ func userHomeDir() (string, error) {`
`1312`	`1317`	`// UpdateHostSigner updates the host signer with a new key generated from the provided seed.`
`1313`	`1318`	`// If an existing host key exists with the same algorithm, it is overwritten`
`1314`	`1319`	`func (s*Server)UpdateHostSigner(seedint64)error {`
`1315`		`-key,err:=CoderSigner(seed)`
	`1320`	`+algorithm:=s.config.HostKeyAlgorithm`
	`1321`	`+ifalgorithm=="" {`
	`1322`	`+algorithm="rsa"// Default to RSA for backward compatibility`
	`1323`	`+}`
	`1324`	`+key,err:=CoderSigner(seed,algorithm)`
`1316`	`1325`	`iferr!=nil {`
`1317`	`1326`	`returnerr`
`1318`	`1327`	`}`
`@@ -1325,14 +1334,29 @@ func (s *Server) UpdateHostSigner(seed int64) error {`
`1325`	`1334`	`returnnil`
`1326`	`1335`	`}`
`1327`	`1336`
`1328`		`-// CoderSigner generates a deterministic SSH signer based on the provided seed.`
`1329`		`-//It uses RSA with a key size of2048 bits.`
`1330`		`-funcCoderSigner(seedint64) (gossh.Signer,error) {`
	`1337`	`+// CoderSigner generates a deterministic SSH signer based on the provided seed and algorithm.`
	`1338`	`+//Supported algorithms: "rsa" (2048 bits), "ed25519".`
	`1339`	`+funcCoderSigner(seedint64,algorithmstring) (gossh.Signer,error) {`
`1331`	`1340`	`// Clients should ignore the host key when connecting.`
`1332`	`1341`	`// The agent needs to authenticate with coderd to SSH,`
`1333`	`1342`	`// so SSH authentication doesn't improve security.`
`1334`		`-coderHostKey:=agentrsa.GenerateDeterministicKey(seed)`
`1335`		`-`
`1336`		`-coderSigner,err:=gossh.NewSignerFromKey(coderHostKey)`
`1337`		`-returncoderSigner,err`
	`1343`	`+`
	`1344`	`+switchalgorithm {`
	`1345`	`+case"ed25519":`
	`1346`	`+// Generate deterministic Ed25519 key`
	`1347`	`+rand:=rand.New(rand.NewSource(seed))`
	`1348`	`+_,privateKey,err:=ed25519.GenerateKey(rand)`
	`1349`	`+iferr!=nil {`
	`1350`	`+returnnil,err`
	`1351`	`+}`
	`1352`	`+returngossh.NewSignerFromKey(privateKey)`
	`1353`	`+`
	`1354`	`+case"rsa","":`
	`1355`	`+// Default to RSA for backward compatibility`
	`1356`	`+coderHostKey:=agentrsa.GenerateDeterministicKey(seed)`
	`1357`	`+returngossh.NewSignerFromKey(coderHostKey)`
	`1358`	`+`
	`1359`	`+default:`
	`1360`	`+returnnil,fmt.Errorf("unsupported host key algorithm: %s",algorithm)`
	`1361`	`+}`
`1338`	`1362`	`}`

`‎cli/agent.go`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`46`	`46`	`pprofAddressstring`
`47`	`47`	`noReapbool`
`48`	`48`	`sshMaxTimeout time.Duration`
	`49`	`+sshHostKeyAlgorithmstring`
`49`	`50`	`tailnetListenPortint64`
`50`	`51`	`prometheusAddressstring`
`51`	`52`	`debugAddressstring`
`@@ -356,6 +357,7 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`356`	`357`	`EnvironmentVariables:environmentVariables,`
`357`	`358`	`IgnorePorts:ignorePorts,`
`358`	`359`	`SSHMaxTimeout:sshMaxTimeout,`
	`360`	`+SSHHostKeyAlgorithm:sshHostKeyAlgorithm,`
`359`	`361`	`Subsystems:subsystems,`
`360`	`362`
`361`	`363`	`PrometheusRegistry:prometheusRegistry,`
`@@ -451,6 +453,13 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`451`	`453`	`Description:"Specify the max timeout for a SSH connection, it is advisable to set it to a minimum of 60s, but no more than 72h.",`
`452`	`454`	`Value:serpent.DurationOf(&sshMaxTimeout),`
`453`	`455`	`},`
	`456`	`+{`
	`457`	`+Flag:"ssh-host-key-algorithm",`
	`458`	`+Default:"rsa",`
	`459`	`+Env:"CODER_AGENT_SSH_HOST_KEY_ALGORITHM",`
	`460`	`+Description:"Specify the SSH host key algorithm to use. Valid values: rsa, ed25519.",`
	`461`	`+Value:serpent.StringOf(&sshHostKeyAlgorithm),`
	`462`	`+},`
`454`	`463`	`{`
`455`	`464`	`Flag:"tailnet-listen-port",`
`456`	`465`	`Default:"0",`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf9f7f5a

File tree

3 files changed

3 files changed

`‎agent/agent.go`

`‎agent/agentssh/agentssh.go`

`‎cli/agent.go`

0 commit comments