openssh: update SSH config when DEVBOX_GATEWAY is set (#378)

Update `~/.config/devbox/ssh/config` to include the value of
`DEVBOX_GATEWAY` when it's set. This makes debugging easier by clearing
out previous host keys and disabling strict host key checking. It also
creates an alias of `gateway.devbox-debug` so that:

	ssh gateway.devbox-debug

will always connect to whatever is in `DEVBOX_GATEWAY`.

Author: gcurtis

internal/cloud/cloud.go

@@ -23,10 +23,27 @@ import (
 )
 
 func Shell(configDir string) error {
-	if err := openssh.SetupDevbox(); err != nil {
+	username, vmHostname := parseVMEnvVar()
+	if username == "" {
+		username = promptUsername()
+	}
+	debug.Log("username: %s", username)
+	sshClient := openssh.Client{
+		Username: username,
+		Addr:     "gateway.devbox.sh",
+	}
+	// When developing we can use this env variable to point
+	// to a different gateway
+	var err error
+	if envGateway := os.Getenv("DEVBOX_GATEWAY"); envGateway != "" {
+		sshClient.Addr = envGateway
+		err = openssh.SetupInsecureDebug(envGateway)
+	} else {
+		err = openssh.SetupDevbox()
+	}
+	if err != nil {
 		return err
 	}
-
 	if err := sshshim.Setup(); err != nil {
 		return err
 	}
@@ -36,21 +53,15 @@ func Shell(configDir string) error {
 	fmt.Println("Blazingly fast remote development that feels local")
 	fmt.Print("\n")
 
-	username, vmHostname := parseVMEnvVar()
-	if username == "" {
-		username = promptUsername()
-	}
-	debug.Log("username: %s", username)
-
 	if vmHostname == "" {
 		s1 := stepper.Start("Creating a virtual machine on the cloud...")
-		vmHostname = getVirtualMachine(username)
+		vmHostname = getVirtualMachine(sshClient)
 		s1.Success("Created virtual machine")
 	}
 	debug.Log("vm_hostname: %s", vmHostname)
 
 	s2 := stepper.Start("Starting file syncing...")
-	err := syncFiles(username, vmHostname, configDir)
+	err = syncFiles(username, vmHostname, configDir)
 	if err != nil {
 		s2.Fail("Starting file syncing [FAILED]")
 		log.Fatal(err)
@@ -93,17 +104,7 @@ func (vm vm) redact() *vm {
 	return &vm
 }
 
-func getVirtualMachine(username string) string {
-	client := openssh.Client{
-		Username: username,
-		Hostname: "gateway.devbox.sh",
-	}
-
-	// When developing we can use this env variable to point
-	// to a different gateway
-	if envGateway := os.Getenv("DEVBOX_GATEWAY"); envGateway != "" {
-		client.Hostname = envGateway
-	}
+func getVirtualMachine(client openssh.Client) string {
 	sshOut, err := client.Exec("auth")
 	if err != nil {
 		log.Fatalln("error requesting VM:", err)
@@ -165,7 +166,7 @@ func syncFiles(username, hostname, configDir string) error {
 func shell(username, hostname, configDir string) error {
 	client := &openssh.Client{
 		Username:       username,
-		Hostname:       hostname,
+		Addr:           hostname,
 		ProjectDirName: projectDirName(configDir),
 	}
 	return client.Shell()

internal/cloud/openssh/client.go

@@ -16,7 +16,7 @@ import (
 
 type Client struct {
 	Username       string
-	Hostname       string
+	Addr           string
 	ProjectDirName string
 }
 
@@ -50,7 +50,7 @@ func (c *Client) Exec(remoteCmd string) ([]byte, error) {
 }
 
 func (c *Client) cmd(sshArgs ...string) *exec.Cmd {
-	host, port := c.hostPort()
+	host, port := splitHostPort(c.Addr)
 	cmd := exec.Command("ssh", sshArgs...)
 	cmd.Args = append(cmd.Args, destination(c.Username, host))
 
@@ -62,10 +62,12 @@ func (c *Client) cmd(sshArgs ...string) *exec.Cmd {
 	return cmd
 }
 
-func (c *Client) hostPort() (host string, port int) {
-	host, portStr, err := net.SplitHostPort(c.Hostname)
+// splitHostPort is like net.SplitHostPort except it defaults to port 22 if the
+// port in the address is missing or invalid.
+func splitHostPort(addr string) (host string, port int) {
+	host, portStr, err := net.SplitHostPort(addr)
 	if err != nil {
-		return c.Hostname, 22
+		return addr, 22
 	}
 	port, err = net.LookupPort("tcp", portStr)
 	if err != nil {

internal/cloud/openssh/config.go

@@ -17,6 +17,13 @@ import (
 	"github.com/pkg/errors"
 )
 
+// These must match what's in sshConfigTmpl. We should eventually make the hosts
+// a template variable.
+const (
+	gatewayProdHost = "gateway.devbox.sh"
+	gatewayDevHost  = "gateway.dev.devbox.sh"
+)
+
 //go:embed sshconfig.tmpl
 var sshConfigText string
 var sshConfigTmpl = template.Must(template.New("sshconfig").Parse(sshConfigText))
@@ -28,11 +35,31 @@ var sshKnownHosts []byte
 // to Devbox Cloud hosts. It does nothing if Devbox Cloud is already
 // configured.
 func SetupDevbox() error {
+	return setupDevbox("", 0)
+}
+
+// SetupInsecureDebug is like SetupDevbox, but also configures an additional
+// gateway with host key checking disabled. If gatewayAddr is a
+// well-known *.devbox.sh gateway, then SetupInsecureDebug doesn't add any
+// extra hosts and acts identically to SetupDevbox.
+func SetupInsecureDebug(gatewayAddr string) error {
+	host, port := splitHostPort(gatewayAddr)
+	if host != gatewayProdHost && host != gatewayDevHost {
+		return setupDevbox(host, port)
+	}
+	return setupDevbox("", 0)
+}
+
+func setupDevbox(debugHost string, debugPort int) error {
 	devboxSSHDir, err := devboxSSHDir()
 	if err != nil {
 		return err
 	}
 
+	// Try to remove any old debug host keys. It's okay if this fails.
+	devboxKnownHostsDebug := filepath.Join(devboxSSHDir, "known_hosts_debug")
+	_ = os.Remove(devboxKnownHostsDebug)
+
 	devboxKnownHostsPath := filepath.Join(devboxSSHDir, "known_hosts")
 	devboxKnownHosts, err := editFile(devboxKnownHostsPath, 0644)
 	if err != nil {
@@ -53,13 +80,20 @@ func SetupDevbox() error {
 	}
 	defer devboxSSHConfig.Close()
 
-	err = errors.WithStack(sshConfigTmpl.Execute(devboxSSHConfig, struct {
+	tmplData := struct {
 		ConfigVersion string
 		ConfigDir     string
+		DebugGateway  struct {
+			Host string
+			Port int
+		}
 	}{
 		ConfigVersion: "0.0.1",
 		ConfigDir:     devboxSSHDir,
-	}))
+	}
+	tmplData.DebugGateway.Host = debugHost
+	tmplData.DebugGateway.Port = debugPort
+	err = errors.WithStack(sshConfigTmpl.Execute(devboxSSHConfig, tmplData))
 	if err != nil {
 		return errors.WithStack(err)
 	}
@@ -69,6 +103,16 @@ func SetupDevbox() error {
 	if err := updateUserSSHConfig(devboxIncludePath); err != nil {
 		return err
 	}
+
+	// Create the known_hosts_debug file with the correct permissions if a
+	// debug gateway is configured. It's okay if this fails because it's
+	// only used for debugging.
+	if debugHost != "" {
+		f, err := os.OpenFile(devboxKnownHostsDebug, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0644)
+		if err == nil {
+			f.Close()
+		}
+	}
 	return nil
 }
 

internal/cloud/openssh/config_test.go

@@ -1,6 +1,7 @@
 package openssh
 
 import (
+	"bytes"
 	_ "embed"
 	"io/fs"
 	"os"
@@ -145,6 +146,72 @@ func TestSetupDevbox(t *testing.T) {
 	})
 }
 
+//go:embed testdata/devbox-ssh-debug-config.golden
+var goldenDevboxSSHDebugConfig []byte
+
+func TestSetupInsecureDebug(t *testing.T) {
+	wantAddr := "127.0.0.1:2222"
+	want := fstest.MapFS{
+		".config":            &fstest.MapFile{Mode: fs.ModeDir | 0755},
+		".config/devbox":     &fstest.MapFile{Mode: fs.ModeDir | 0755},
+		".config/devbox/ssh": &fstest.MapFile{Mode: fs.ModeDir | 0700},
+		".config/devbox/ssh/config": &fstest.MapFile{
+			Data: goldenDevboxSSHDebugConfig,
+			Mode: 0644,
+		},
+		".config/devbox/ssh/known_hosts": &fstest.MapFile{
+			Data: sshKnownHosts,
+			Mode: 0644,
+		},
+		".config/devbox/ssh/known_hosts_debug": &fstest.MapFile{Mode: 0644},
+
+		".ssh": &fstest.MapFile{Mode: fs.ModeDir | 0700},
+		".ssh/config": &fstest.MapFile{
+			Data: []byte("Include \"$HOME/.config/devbox/ssh/config\"\n"),
+			Mode: 0644,
+		},
+	}
+
+	t.Run("NoConfigs", func(t *testing.T) {
+		in := fstest.MapFS{}
+		workdir := fsToDir(t, in)
+		t.Setenv("HOME", workdir)
+		if err := SetupInsecureDebug(wantAddr); err != nil {
+			t.Errorf("got SetupInsecureDebug(%q) error: %v", wantAddr, err)
+		}
+		got := os.DirFS(workdir)
+		fsEqual(t, got, want)
+	})
+	t.Run("ChangeHost", func(t *testing.T) {
+		input := fstest.MapFS{}
+		for k, v := range want {
+			input[k] = v
+		}
+
+		// Set the initial config to have a debug host = 127.0.0.2 so we
+		// can check that it gets changed back to 127.0.0.1.
+		input[".config/devbox/ssh/config"] = &fstest.MapFile{
+			Data: bytes.ReplaceAll(goldenDevboxSSHDebugConfig, []byte("127.0.0.1"), []byte("127.0.0.2")),
+			Mode: 0644,
+		}
+
+		// Put something in known_hosts_debug so we can check that it
+		// gets cleared out.
+		input[".config/devbox/ssh/known_hosts_debug"] = &fstest.MapFile{
+			Data: []byte("[127.0.0.1]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAPY1ms2jt+QPvhq89J8KF7rfTCFUi6X6Ik4O9EIAT/c\n"),
+			Mode: 0644,
+		}
+
+		workdir := fsToDir(t, input)
+		t.Setenv("HOME", workdir)
+		if err := SetupInsecureDebug(wantAddr); err != nil {
+			t.Errorf("got SetupInsecureDebug(%q) error: %v", wantAddr, err)
+		}
+		got := os.DirFS(workdir)
+		fsEqual(t, got, want)
+	})
+}
+
 //go:embed testdata/test.vm.devbox-vms.internal.golden
 var goldenVMKey []byte
 

internal/cloud/openssh/sshconfig.tmpl

@@ -19,3 +19,13 @@ Host *.devbox-vms.internal
 	UserKnownHostsFile "{{ .ConfigDir }}/known_hosts"
 	ServerAliveInterval 50
 	ServerAliveCountMax 3
+
+{{- if .DebugGateway.Host }}
+
+Host gateway.devbox-debug {{ .DebugGateway.Host }}
+	Hostname {{ .DebugGateway.Host }}
+	Port {{ .DebugGateway.Port }}
+	StrictHostKeyChecking no
+	UserKnownHostsFile "{{ .ConfigDir }}/known_hosts_debug"
+
+{{- end }}

internal/cloud/openssh/testdata/devbox-ssh-debug-config.golden

@@ -0,0 +1,27 @@
+# Autogenerated by devbox. Do not modify manually.
+# ConfigVersion: 0.0.1
+
+Host proxy.devbox.sh
+	StrictHostKeyChecking no
+	UserKnownHostsFile "$HOME/.config/devbox/ssh/known_hosts"
+
+Host gateway.devbox.sh gateway.dev.devbox.sh
+	HostKeyAlgorithms ssh-ed25519
+	StrictHostKeyChecking yes
+	UserKnownHostsFile "$HOME/.config/devbox/ssh/known_hosts"
+
+Host *.devbox-vms.internal
+	Port 2222
+	ProxyJump [email protected]
+	IdentityFile "$HOME/.config/devbox/ssh/keys/%h"
+	PreferredAuthentications publickey
+	StrictHostKeyChecking no
+	UserKnownHostsFile "$HOME/.config/devbox/ssh/known_hosts"
+	ServerAliveInterval 50
+	ServerAliveCountMax 3
+
+Host gateway.devbox-debug 127.0.0.1
+	Hostname 127.0.0.1
+	Port 2222
+	StrictHostKeyChecking no
+	UserKnownHostsFile "$HOME/.config/devbox/ssh/known_hosts_debug"