Investigate ssh proxy (For: JetBrains integration, VSCode Desktop)

[akosyakov]

Right now we have to generate an additional ssh config which is not integrated with user ssh config file. It is troublesome since user has to switch between them, and in case of VS Code Desktop integration we have to mess with remote ssh settings as well.

There is ProxyCommand allowing to dynamically resolve host names for fake names, see https://blog.jverkamp.com/2017/12/18/ssh-config-proxycommand-tricks/ We could replace generated ssh config file with a single entry in user ssh config file, like:

Host *.gitpod.io
    ProxyCommand "gpc connect %h"

Where gpc is the gitpod local companion cli and %h is a placeholder filled in by the ssh client while resolving a concrete host like olive-orangutan-acs8mw87.ws-eu16.gitpod.io. The cli will look up the api endpoint of the gitpod local companion daemon based on the special file for a current user, e.g. in ~/.gitpod/local_apps file

{
  "gitpod.io": {
    "pid": 22301,
    "apiPort": 40354
  },
  "ak-stable-code-desktop.staging.gitpod-dev.com": {
    "pid": 22302,
    "apiPort": 40356
  }
}

After that it will use the api to proxy ssh connection via the local companion of this host.

@csweichel @svenefftinge wdyt?

It's also nicer for other ssh tools, since they don't need to provide -F option anymore, but can do just ssh olive-orangutan-acs8mw87.ws-eu16.gitpod.io. And having gitpod.io in the status bar of remote ssh window is another benefit, right now there are just workspace names.

[akosyakov]

The special file to discover current daemons also would be helpful to reuse daemons across different clients, i.e. VS Code or VS Code Insiders, or even JetBrains products.

[svenefftinge]

Sounds good to me. Would the ProxyCommand then call the local companion app CLI? I.e. is that something that needs to be built first?

[akosyakov]

We will first do #4781 and later come back to this issue.

[iQQBot]

ProxyCommand only resolve proxy or fake domain issue, it doesn't resolve SSH authentication, still pass -i "id_rsa.key" or -F "ssh config file"

The possible solutions I can think of are as follows

1. ssh gateway

provide a ssh proxy gateway in gitpod.io, just like ws-proxy, we can only use a random username to identify workspace and ssh, user can use ssh olive-orangutan-acs8mw87:randompassword@ssh.gitpod.io or ssh long-randompassword@olive-orangutan-acs8mw87.ws-eu16.gitpod.io, domain is doesn't matter, only use username.

This has several benefits:

1. don't modify current local-app, it a new component, just modify gitpod vscode extension.
2. user no need download other tool
3. if use a single domain, can reduce useless item in .ssh/known_hosts
   It seems a little less secure, but since it's a long random password, it's probably okay?

2. implementation ssh proxy in local-app

use ProxyCommand to identify workspace, that can no need password, just ssh olive-orangutan-acs8mw87.ws-eu16.gitpod.io, it need add some config to user ssh config file, we can automatic add config to user ssh config file in default location (terminal side, or vscode remote.SSH.configFile path), but has some user use custom location to save their ssh config, these users may need to add these config manually. And ProxyCommand is only provide by openssh.
It also need ssh proxy to resolve authentication case, but just need modify little local-app

[iQQBot]

I don't know what you think of the two proposals above, I would like to be able to implement this proposal by submitting a PR if possible

[julkhami]

So you're working on this and you'll update here when it's set up? That'd be great, thank you

[iQQBot]

So you're working on this and you'll update here when it's set up? That'd be great, thank you

I'd be happy to complete this PR, but it requires the approval of the gitpod team, otherwise it won't go production either

[akosyakov]

@iQQBot We currently don't have capacity even looking into design, sorry.

I like the idea with gateway in ws-proxy, since it does not require the local app at all for VC Code Desktop then. How did you suggest auth to happen I don't think is going to work: We use special vscode remote URL. I tried in the past to change ports and user in the authority but VS Code could not handle it. Besides just doing something like ssh olive-orangutan-acs8mw87.ws-eu16.gitpod.io would be way better.

I was wondering whether a user could instead configure ssh key in settings and we would use them somehow in ws-proxy. And ws-proxy will work like a bastion server. I am not an expert in this question. Ideas are welcomed! cc @csweichel since I am not sure about feasibility and security here.

[iQQBot]

@akosyakov Thank you for you reply, I try vscode remote url, it support change user

[iQQBot]

@akosyakov @csweichel So the whole program should be feasible, now is the point, whether we need the user to upload ssh publickey, I think the need is not very big

[csweichel]

We've look at SSH gateways in the past and found them to be rather involved. Is there a package you have in mind for building this?

[iQQBot]

Can use package "golang.org/x/crypto/ssh"

1. implement fake auth
2. forward session to workspace
3. implement port-forward

[iQQBot]

I will try to make a demo in the next few days

[csweichel]

https://pkg.go.dev/github.com/kennylevinsen/sshmux looks like an option

[iQQBot]

Many thanks, it looks good. I will take a look

[iQQBot]

@csweichel it works!

[akosyakov]

We agreed to prototype it but it should be time boxed by end of this year. It should not introduce any new components but implemented in ws-proxy. cc @iQQBot