Add "ssh connect" command (#3471)

## Changes
See the base PR for the context: 
- #3470

This PR adds `databricks ssh connect` subcommand and all related
utilities.

The main logic here is in `libs/ssh/client.go` and `libs/ssh/proxy.go`
files.

See `proxy_test.go` for an overview of how client and server interact
with each other through the proxy.

Overview of the `ssh client` logic:
- Generate local ssh keys if necessary
(`~/.databricks/ssh-tunnel-keys/<cluster-id>`)
- Save the public key in the secret scope
(`<username>-<cluster-id>-ssh-tunnel-keys`)
- Upload databricks releases (linux arm and amd) with the marching
version to the /Workspace
- Get /Workspace/metadata.json file with the server port info
- If the metadata is not there, execute `ssh-server-bootsrap.py` file as
a job (it runs `databricks server` command that's implemented in the
follow up PR)
- Get server metadata by sending a driver-proxy request to the known
port, it will return a user name
- Spawn `ssh client` with the right User and a ProxyCommand that
executed `ssh connect --proxy --metadata`
- New instance of the `connect` command can now start a proxy over
websocket connection backed by Driver Proxy API

Overview of the Proxy logic:
- The main interesting part is that the proxy does automatic re-connects
every 30 minutes (configurable) to avoid auth token expiration problems.
In all the tricky places (mostly related to concurrency and locks) there
are comments explaining the logic.

The final follow up PR:
- #3475


## Tests
Manual and unit

Author: ilia-db

.gitignore

@@ -36,3 +36,6 @@ tools/yamlfmt.exe
 
 # Cache for tools/gh_report.py
 .gh-logs
+
+# Release artifacts
+dist/

Makefile

@@ -91,6 +91,11 @@ build-vm: tidy
 snapshot:
 	go build -o .databricks/databricks
 
+# Produce release binaries and archives in the dist folder without uploading them anywhere.
+# Useful for "databricks ssh" development, as it needs to upload linux releases to the /Workspace.
+snapshot-release:
+	goreleaser release --clean --skip docker --snapshot
+
 schema:
 	go run ./bundle/internal/schema ./bundle/internal/schema ./bundle/schema/jsonschema.json
 

cmd/ssh/connect.go

@@ -0,0 +1,73 @@
+package ssh
+
+import (
+	"time"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdctx"
+	"github.com/databricks/cli/libs/ssh"
+	"github.com/spf13/cobra"
+)
+
+const (
+	defaultClientPublicKeyName = "client-public-key"
+	defaultShutdownDelay       = 10 * time.Minute
+	defaultHandoverTimeout     = 30 * time.Minute
+	defaultMaxClients          = 10
+)
+
+func newConnectCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "connect",
+		Short: "Connect to Databricks compute via SSH",
+		Long: `Connect to Databricks compute via SSH.
+
+This command establishes an SSH connection to Databricks compute, setting up
+the SSH server and handling the connection proxy.
+
+` + disclaimer,
+	}
+
+	var clusterID string
+	var proxyMode bool
+	var serverMetadata string
+	var shutdownDelay time.Duration
+	var maxClients int
+	var handoverTimeout time.Duration
+	var releasesDir string
+
+	cmd.Flags().StringVar(&clusterID, "cluster", "", "Databricks cluster ID (required)")
+	cmd.MarkFlagRequired("cluster")
+	cmd.Flags().DurationVar(&shutdownDelay, "shutdown-delay", defaultShutdownDelay, "Delay before shutting down the server after the last client disconnects")
+	cmd.Flags().IntVar(&maxClients, "max-clients", defaultMaxClients, "Maximum number of SSH clients")
+
+	cmd.Flags().BoolVar(&proxyMode, "proxy", false, "ProxyCommand mode")
+	cmd.Flags().MarkHidden("proxy")
+	cmd.Flags().StringVar(&serverMetadata, "metadata", "", "Metadata of the running SSH server (format: <user_name>,<port>)")
+	cmd.Flags().MarkHidden("metadata")
+	cmd.Flags().DurationVar(&handoverTimeout, "handover-timeout", defaultHandoverTimeout, "How often the CLI should reconnect to the server with new auth")
+	cmd.Flags().MarkHidden("handover-timeout")
+
+	cmd.Flags().StringVar(&releasesDir, "releases-dir", "", "Directory for local SSH tunnel development releases")
+	cmd.Flags().MarkHidden("releases-dir")
+
+	cmd.PreRunE = root.MustWorkspaceClient
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Context()
+		client := cmdctx.WorkspaceClient(ctx)
+		opts := ssh.ClientOptions{
+			ClusterID:           clusterID,
+			ProxyMode:           proxyMode,
+			ServerMetadata:      serverMetadata,
+			ShutdownDelay:       shutdownDelay,
+			MaxClients:          maxClients,
+			HandoverTimeout:     handoverTimeout,
+			ReleasesDir:         releasesDir,
+			AdditionalArgs:      args,
+			ClientPublicKeyName: defaultClientPublicKeyName,
+		}
+		return ssh.RunClient(ctx, client, opts)
+	}
+
+	return cmd
+}

cmd/ssh/ssh.go

@@ -28,6 +28,7 @@ Common workflows:
 	}
 
 	cmd.AddCommand(newSetupCommand())
+	cmd.AddCommand(newConnectCommand())
 
 	return cmd
 }

go.mod

@@ -28,6 +28,7 @@ require (
 	github.com/spf13/cobra v1.10.0 // Apache 2.0
 	github.com/spf13/pflag v1.0.9 // BSD-3-Clause
 	github.com/stretchr/testify v1.11.1 // MIT
+	golang.org/x/crypto v0.41.0 // BSD-3-Clause
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
 	golang.org/x/mod v0.27.0
 	golang.org/x/oauth2 v0.30.0
@@ -75,7 +76,6 @@ require (
 	go.opentelemetry.io/otel v1.36.0 // indirect
 	go.opentelemetry.io/otel/metric v1.36.0 // indirect
 	go.opentelemetry.io/otel/trace v1.36.0 // indirect
-	golang.org/x/crypto v0.40.0 // indirect
 	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.35.0 // indirect

go.sum

@@ -173,8 +173,8 @@ go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFw
 go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
 go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
 go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
-golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
-golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
 golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=