Skip to content

Agent SSH server should use a consistent key over workspace restarts #16490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
spikecurtis opened this issue Feb 7, 2025 · 0 comments · Fixed by #16626
Closed

Agent SSH server should use a consistent key over workspace restarts #16490

spikecurtis opened this issue Feb 7, 2025 · 0 comments · Fixed by #16626
Assignees
@ThomasK33
Labels
networking Area: networking

Comments

@spikecurtis
Copy link
Contributor

Summary

We should enhance the agent to use the same SSH key each time the workspace is restarted, so that users of Coder VPN (#14859) can SSH into their workspaces with no extra config steps.

I think it is acceptable to just use a hardcoded SSH key, since the Wireguard protocol routes packets based on the tunnel crypto keys, so anti-spoofing of the workspace is handled at this lower layer.

Background

Today we handle end user SSH connections with the Coder CLI, either directly with the coder ssh command, or indirectly by instructing the SSH process to start coder as a proxy command. In both these circumstances, we are able to configure the SSH client to ignore the fact that our workspace SSH server uses a different key each time the workspace is restarted. This is very non-standard, and a default configured SSH client will reject reconnection to the same workspace after a restart.

e.g.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:JKCBMANKUlybkSCoLMr9xgXkxftOaQrggR4NA0LK6j0.
Please contact your system administrator.
Add correct host key in C:\\Users\\micha/.ssh/known_hosts to get rid of this message.
Offending RSA key in C:\\Users\\micha/.ssh/known_hosts:4
Host key for [syncthing-dg.coder]:1 has changed and you have requested strict checking.
Host key verification failed.

If we want Coder VPN users to connect over SSH without special config, we need to use a consistent key.
@spikecurtis spikecurtis added the networking Area: networking label Feb 7, 2025
This was referenced Feb 18, 2025
Closed
Closed
@ThomasK33 ThomasK33 mentioned this issue Feb 19, 2025
Merged
ThomasK33 added a commit that referenced this issue Feb 21, 2025
@ThomasK33
fix(agent/agentssh): use deterministic host key for SSH server (#16626)
6607464 
Fixes: #16490

The Agent's SSH server now initially generates fixed host keys and, once it receives its manifest, generates and replaces that host key with the one derived from the workspace ID, ensuring consistency across agent restarts. This prevents SSH warnings and host key verification errors when connecting to workspaces through Coder Desktop.

While deterministic keys might seem insecure, the underlying Wireguard tunnel already provides encryption and anti-spoofing protection at the network layer, making this approach acceptable for our use case.

---
Change-Id: I8c7e3070324e5d558374fd6891eea9d48660e1e9
Signed-off-by: Thomas Kosiewski <tk@coder.com>
aslilac pushed a commit that referenced this issue Feb 21, 2025
@ThomasK33 @aslilac
fix(agent/agentssh): use deterministic host key for SSH server (#16626)
3e3b332 
Fixes: #16490

The Agent's SSH server now initially generates fixed host keys and, once it receives its manifest, generates and replaces that host key with the one derived from the workspace ID, ensuring consistency across agent restarts. This prevents SSH warnings and host key verification errors when connecting to workspaces through Coder Desktop.

While deterministic keys might seem insecure, the underlying Wireguard tunnel already provides encryption and anti-spoofing protection at the network layer, making this approach acceptable for our use case.

---
Change-Id: I8c7e3070324e5d558374fd6891eea9d48660e1e9
Signed-off-by: Thomas Kosiewski <tk@coder.com>
aslilac pushed a commit that referenced this issue Feb 27, 2025
@ThomasK33 @aslilac
fix(agent/agentssh): use deterministic host key for SSH server (#16626)
532d38e 
Fixes: #16490

The Agent's SSH server now initially generates fixed host keys and, once it receives its manifest, generates and replaces that host key with the one derived from the workspace ID, ensuring consistency across agent restarts. This prevents SSH warnings and host key verification errors when connecting to workspaces through Coder Desktop.

While deterministic keys might seem insecure, the underlying Wireguard tunnel already provides encryption and anti-spoofing protection at the network layer, making this approach acceptable for our use case.

---
Change-Id: I8c7e3070324e5d558374fd6891eea9d48660e1e9
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ThomasK33 ThomasK33

Labels
networking Area: networking
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(agent/agentssh): use deterministic host key for SSH server coder/coder
2 participants
@ThomasK33 @spikecurtis