[supervisor] always allow gitpod user ssh

Author: iQQBot

components/supervisor/pkg/supervisor/ssh.go

@@ -104,6 +104,7 @@ func (s *sshServer) handleConn(ctx context.Context, conn net.Conn) {
 	args = append(args,
 		"-ieD", "-f/dev/null",
 		"-oProtocol 2",
+		"-oAllowUsers root gitpod",
 		"-oPasswordAuthentication no",
 		"-oChallengeResponseAuthentication no",
 		"-oPermitRootLogin yes",
@@ -158,6 +159,7 @@ func (s *sshServer) handleConn(ctx context.Context, conn net.Conn) {
 
 	log.WithField("args", args).Debug("sshd flags")
 	cmd := exec.CommandContext(ctx, openssh, args...)
+	cmd = runAsGitpodUser(cmd)
 	cmd.Env = s.envvars
 	cmd.ExtraFiles = []*os.File{socketFD}
 	cmd.Stderr = os.Stderr
@@ -252,30 +254,6 @@ func ensureSSHDir(cfg *Config) error {
 	return nil
 }
 
-func ensurePrivsepDir() error {
-	// Privilege separation, or privsep, is method in OpenSSH by which
-	// operations that require root privilege are performed by a separate
-	// privileged monitor process.
-	// see detail: https://github.com/openssh/openssh-portable/blob/master/README.privsep
-	privsepPath := "/var/empty"
-	err := os.MkdirAll(privsepPath, 0o755)
-	if err != nil {
-		return xerrors.Errorf("cannot create privsep path: %w", err)
-	}
-	return nil
-}
-
-func ensureSSHCAFile(cfg *Config, caPath string) error {
-	if cfg.SSHGatewayCAPublicKey == "" {
-		return nil
-	}
-	err := os.WriteFile(caPath, []byte(cfg.SSHGatewayCAPublicKey), 0o644)
-	if err != nil {
-		return xerrors.Errorf("cannot write ssh ca pem: %w", err)
-	}
-	return nil
-}
-
 func configureSSHDefaultDir(cfg *Config) {
 	if cfg.RepoRoot == "" {
 		log.Error("cannot configure ssh default dir with empty repo root")