[SSH Gateway] remove private key requirement when ownerToken is provide

[iQQBot]

Description

[SSH Gateway] remove private key requirement when ownerToken is provide

At past, we introduce a simple copy/paste command to let users can simply copy it into the terminal to get an ssh connection to the workspace, but there are limitations to the golang.org/x/crypto/ssh library, it require user provider a private key in order to skip password prompt, this can be confusing for users and cause an incident for VSCode Desktop can not connect to workspace.

So we move to fork golang.org/x/crypto/ssh repo link, and do some change, to make it suits us better.

The first change is cherry-pick some commit from tailscale 🙏 , the most important thing is support NoClientAuthCallback which let us can verify username in this check, and don't need the user to provide private key. PR link

see internal discuss

NOTE: this PR is base on #10573 for test, it need rebase to main before merge.

Related Issue(s)

Fixes #

How to test

1. start a workspace in preview environment
2. start another workspace or use your local computer (move your private key to another folder)
3. using copy/paste ssh command to connect workspace, it should success
   4. upload your public key in setting -> SSH Key
   5. use your private key to connect with the workspace

4 and 5 is check this feature doesn't break #10573

Release Notes

[SSH Gateway] remove priavte key requirement when ownerToken is provide

Documentation

[werft-gitpod-dev-com]

started the job as gitpod-build-pd-try-no-auth-ssh.6 because the annotations in the pull request description changed
(with .werft/ from main)

[werft-gitpod-dev-com]

started the job as gitpod-build-pd-try-no-auth-ssh.7 because the annotations in the pull request description changed
(with .werft/ from main)

[werft-gitpod-dev-com]

started the job as gitpod-build-pd-try-no-auth-ssh.8 because the annotations in the pull request description changed
(with .werft/ from main)

[akosyakov]

The PR should be opened again @mustard-mh branch not main?

[iQQBot]

NOTE: this PR is base on #10573 for test, it need rebase to main before merge.

[akosyakov]

@iQQBot the trouble is that now we need review from webapp and self hosted teams? Maybe we test SSH keys separately? and first solve one problem?

[iQQBot]

@iQQBot the trouble is that now we need review from webapp and self hosted teams? Maybe we test SSH keys separately? and first solve one problem?

Self-hosted team review is required, after you test I will rebase to main, just want to make sure it doesn't break user-uploaded ssh key

[akosyakov]

It works in copy/paste via Dashboard 🎉 We should also remove a note about private keys?

It does not seem to help with auth in VS Code Desktop:

[akosyakov]

I see we will need to update VS Code desktop extension. It only uses ownerToken if private keys are present: https://github.com/gitpod-io/gitpod-vscode-desktop/blob/1b62c01a8d8c45739a637439161a4b8ed2fa51f6/src/remoteConnector.ts#L522

[akosyakov]

@iQQBot it looks good to me. what next? wait I did not test upload

[akosyakov]

tested uploaded, it worked as well, great work

[iQQBot]

It works in copy/paste via Dashboard 🎉 We should also remove a note about private keys?

Yes, but will do it in another PR, because we don't know when is workspace team deploy this PR, after workspace team is deployed, remove note will safe.

It looks good to me. what next

I already rebase and remove review request from webapp team, but it still need self-hosted team approve, because it change go.sum in installer, if this PR get merge and deploy, we can update vscode desktop extension and dashboard note and document

[werft-gitpod-dev-com]

started the job as gitpod-build-pd-try-no-auth-ssh.10 because the annotations in the pull request description changed
(with .werft/ from main)

[akosyakov]

@iQQBot don't forget to add notes in our team sync that it does not slip 🙏 I'm super excited with all improvements 🚀