pkg/driver/vz: Try SSH handshake to check if SSH port is available.

[norio-nomura]

Check the SSH server in a way that complies with the SSH protocol using x/crypto/ssh.
This change fixes #4334 by falling back to usernet port forwarder on failing SSH connections over VSOCK.

• pkg/networks/usernet: Rename entry point from /extension/wait_port to /extension/wait-ssh-server
  Because it changed to an SSH server-specific entry point.
  When a client accesses the old entry point, it fails and continues with falling back to the usernet forwarder.

• pkg/sshutil: Add WaitSSHReady()
  WaitSSHReady waits until the SSH server is ready to accept connections.
  The dialContext function is used to create a connection to the SSH server.
  The addr, user parameter is used for ssh.ClientConn creation.
  The timeoutSeconds parameter specifies the maximum number of seconds to wait.

• pkg/sshutil: Use hostKeyCollector().checker() instead of ssh.InsecureIgnoreHostKey()
hostKeyCollector().checker():
  checker returns a HostKeyCallback that either checks and collects the host key,
  or only checks the host key, depending on whether any host keys have been collected.
  It is expected to pass host key checks by retrying after the first collection.
  On second invocation, it will only check the host key.

[norio-nomura]

Expecting CI failures will be fixed by #4336 and #4341
Fixed.

[norio-nomura]

Following change added to avoid CodeQL error:

• feat: Generate SSH server keys in host agent and use them in guest OS
  Dropped

[norio-nomura]

Following change added to avoid CodeQL error:

• feat: Generate SSH server keys in host agent and use them in guest OS

Dropped this feature, because https://github.com/lima-vm/alpine-lima does not support ssh_keys field in user-data, and #4333 depends on this PR won't work with that.

[norio-nomura]

Added:

• CodeQL: Exclude go/insecure-hostkeycallback
  Split ssh.InsecureIgnoreHostKey() usage into pkg/sshutil/sshutil_use_insecure_hostkeycallback.go and
  exclude go/insecure-hostkeycallback on that file.
  We already ignore host key verification when executing SSH commands in Lima,
  by using UserKnownHostsFile=/dev/null and StrictHostKeyChecking=no in the SSH command arguments.
  Dropped.

[AkihiroSuda]

It is quite hard to maintain the code that mixes up /usr/bin/ssh with golang.org/x/crypto/ssh

[AkihiroSuda]

The PR looks overengineering.

Can we consider another way to fix the issue #4334 ?

e.g., by writing vsock availability to a serial port

[norio-nomura]

What I really want to do is #4333, and this is like a grounding.

[norio-nomura]

I feel that #4333 and this can also be implemented without using host key generation and known_hosts.
If the host key generation and the known_hosts area disappear, I think the implementation will be simpler.

[norio-nomura]

e.g., by writing vsock availability to a serial port

I tried to reconsider this, but I think it's difficult.
On Fedora 43's case:

• Like ubuntu, where normal SSH over VSOCK can be used, systemd listens to VSOCK:22.

[norio@lima-fedora ~]$ sudo ss -l --vsock -p
Netid State  Recv-Q Send-Q Local Address:Port Peer Address:Port Process                                     
v_str LISTEN 0      0                  *:22              *:*     users:(("systemd",pid=1,fd=228))           
v_str LISTEN 0      0                  3:2222            *:*     users:(("lima-guestagent",pid=1443,fd=13)) 

• Accepted connection is denied by some mechanism(audit?).
  port availability detection log:

  [norio@lima-fedora ~]$ sudo journalctl|grep -E '[(1030|1037)]'
  Nov 20 08:32:47 lima-fedora audit[1030]: AVC avc: denied { getattr } for pid=1030 comm="sshd-session" scontext=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
  Nov 20 08:32:47 lima-fedora sshd-session[1030]: banner exchange: Connection from UNKNOWN port 65535: Broken pipe

  Actual log on SSH connection via forwarded to VSOCK is denied:

  Nov 20 08:32:48 lima-fedora sshd-session[1037]: ssh_dispatch_run_fatal: Connection from UNKNOWN port 65535: Permission denied [preauth]
  Nov 20 08:32:48 lima-fedora audit[1037]: AUDIT1112 pid=1037 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_session_t:s0-s0:c0.c1023 msg='op=login acct="(unknown)" exe="/usr/libexec/openssh/sshd-session" hostname=? addr=UNKNOWN terminal=ssh res=failed'

To writing availability via serial:

• Detecting listener on VSOCK:22 is not sufficient, because Fedora 43 is listening.
• It requires detecting configuration of audit? or another refusing mechanism on other distros. And it must be detected whether they are set to interrupt the connection.

So, I think, it is more reliable to actually try the connection with the SSH protocol, and the portability is also high.
And using ssh installed on the host to test the connection to VSOCK will increase the same uncertainty as the execution of requirements that cause CI failure.

[AkihiroSuda]

And using ssh installed on the host to test the connection to VSOCK will increase the same uncertainty as the execution of requirements that cause CI failure.

Why can crypto/ssh avoid that uncertainty?
Can we just fix that uncertainty by executing /usr/bin/ssh with some option?

[norio-nomura]

Because x/crpyto/ssh does not use inter-process communication.
I think stderr=\"\": read |0: bad file descriptor" that I'm trying to fix in #4333 is an error in pipe used for inter-process communication. I don't think it can be fixed with the option to pass to /usr/bin/ssh.
It might be fixed if the executing method of /usr/bin/ssh changes, but it seemed better to reduce external dependencies at the run time.
After trying #4333 and #4337 so far, I thought x/crypto/ssh would be reliable enough to execute requirements.

[AkihiroSuda]

It might be fixed if the executing method of /usr/bin/ssh changes, but it seemed better to reduce external dependencies at the run time.

limactl shell definitely depends on /usr/bin/ssh though

[norio-nomura]

limactl shell definitely depends on /usr/bin/ssh though

It can also be implemented in x/crypto/ssh. There's no reason for us to do that.
All SSH communication doesn't have to depend on either /usr/bin/ssh or x/crypto/ssh.

[AkihiroSuda]

Lima still has to generate ~/.lima/INST/ssh.config for interoperability with external programs, and has to verify that the generated config works, regardless to the limactl shell implementation uses it or not.

[norio-nomura]

• CodeQL: Exclude go/insecure-hostkeycallback

This has been dropped since GitHub Advanced Security does not affect that configuration.

Instead of them, added:

• pkg/sshutil: Use hostKeyCollector().checker() instead of ssh.InsecureIgnoreHostKey()
hostKeyCollector().checker():
  checker returns a HostKeyCallback that either checks and collects the host key,
  or only checks the host key, depending on whether any host keys have been collected.
  It is expected to pass host key checks by retrying after the first collection.
  On second invocation, it will only check the host key.

This implementation becomes much simpler than 3ae0d29 :

• Dropped: generating host key and passing it to the guest
• Dropped: generating, using, and updating ssh_known_hosts

[norio-nomura]

In this PR, it detects that SSH over VSOCK cannot be connected to the Fedora 43 VM as follows, and it will fall back via usernet.

INFO[0010] [hostagent] Failed to detect SSH server on vsock port, falling back to usernet forwarder error="failed to create ssh.Conn to "vsock:22": ssh: handshake failed: EOF"

[AkihiroSuda]

We may consider this PR for v2.1+, but for v2.0.2 let's merge the PR below to avoid overengineering:

• templates: fedora-43: disable ssh.overVsock as a workaround for SELinux issue #4384