[ssh-gateway] fix missing output when running simple command

[iQQBot]

Description

This PR fixes missing output in SSH gateway when running a simple command, and also upgrade golang crypto library

Summary generated by Copilot

🤖 Generated by Copilot at e9c1f91

Fixed security and compatibility issues in ws-proxy component. Refactored SSH proxy forwarding code to prevent crashes and handle errors better.

Related Issue(s)

Fixes EXP-246

How to test

1. start a workspace in preview environment
2. get ssh connection string via access token
3. run watch -n 0.1 ssh -T 'workspaceID#[email protected]' 'date +%s%N' test for 1minute
4. also run this command in gitpod.io workspace, and compare output.

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

• 🏷️ Name - pd-ssh-output
• 🔗 URL - pd-ssh-output.preview.gitpod-dev.com/workspaces.
• 📚 Documentation - See our internal documentation for information on how to interact with your preview environment.
• 📦 Version - pd-ssh-output-gha.14207

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• with-integration-tests=ssh
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh
• with-monitoring

/hold

[akosyakov]

@iQQBot there is the actual fix? in the library?

[iQQBot]

@iQQBot there is the actual fix? in the library?

Move close to another place, it's because golang routine competition, we need send all date before we call close.

[iQQBot]

/hold

maybe we should wait all of stdout, stderr, request then call close

[akosyakov]

ok, I tried with VS Code Desktop and Local SSH over direct SSH, it does not help there, it now fails differently though, it seems it can tunnel, but then interrupts, before could not forward at all.

[09:55:56.820] Remote server is listening on 36127
[09:55:56.820] Parsed server configuration: {"serverConfiguration":{"remoteListeningOn":{"port":36127},"osReleaseId":"ubuntu","arch":"x86_64","webUiAccessToken":"","sshAuthSock":"","display":"","tmpDir":"/tmp","platform":"linux","connectionToken":"1a1aa111-a1aa-111a-1111-aa1a1a1a111a"},"extInstallTime":239,"installUnpackCode":""}
[09:55:56.821] Persisting server connection details to /Users/[user]/Library/Application Support/Code/User/globalStorage/ms-vscode-remote.remote-ssh/vscode-ssh-host-0fdc06be-660393deaaa6d1996740ff4880f1bad43768c814-0.102.0/data.json
[09:55:56.826] Starting forwarding server. localPort 64392 -> socksPort 64384 -> remotePort 36127
[09:55:56.827] Forwarding server listening on 64392
[09:55:56.827] Waiting for ssh tunnel to be ready
[09:55:56.828] [Forwarding server 64392] Got connection 0
[09:55:56.829] Tunneled 36127 to local port 64392
[09:55:56.829] Resolved "ssh-remote+7b22686f73744e616d65223a22616b6f7379616b6f762d70617263656c64656d6f2d373476766964317a3762702e7673732e70642d7373682d6f75747075742e707265766965772e676974706f642d6465762e636f6d222c2275736572223a22616b6f7379616b6f762d70617263656c64656d6f2d373476766964317a376270227d" to "127.0.0.1:64392"
[09:55:56.837] ------




[09:55:56.866] [Forwarding server 64392] Got connection 1
[09:55:56.961] > local-server-2> ssh child died, shutting down
[09:55:56.961] Failed to set up socket for dynamic port forward to remote port 36127: Socket closed. Is the remote port correct?
[09:55:56.962] Failed to set up socket for dynamic port forward to remote port 36127: Socket closed. Is the remote port correct?
[09:55:56.966] Local server exit: 0

[iQQBot]

ok, I tried with VS Code Desktop and Local SSH over direct SSH, it does not help there, it now fails differently though, it seems it can tunnel, but then interrupts, before could not forward at all.

Yeah, It's another problem, not related this PR

[akosyakov]

not related this PR

What interesting though that before it won't ever reach [Forwarding server 64392] Got connection 1 so this PR did fix initiation of the forwarding somehow.

[akosyakov]

@iQQBot Good to retest?

[akosyakov]

I wonder should not we wait for stderr/stdout in both directions? won't close on one end trigger close on another

[iQQBot]

In fact, they are closed together. It's just that due to the nature of go routines, it is possible that the last few bytes may not be guaranteed to be sent completely, so we need to wait for all of them to be sent before sending a close signal.

[akosyakov]

yeah, I meant there we can simplify with one wg, which waits for both directions, but like that is fine as well 👍

[akosyakov]

@iQQBot preview envs are down?

[iQQBot]

@iQQBot preview envs are down?

Rerun

[mustard-mh]

ok, I tried with VS Code Desktop and Local SSH over direct SSH, it does not help there, it now fails differently though, it seems it can tunnel, but then interrupts, before could not forward at all.

[09:55:56.820] Remote server is listening on 36127
[09:55:56.820] Parsed server configuration: {"serverConfiguration":{"remoteListeningOn":{"port":36127},"osReleaseId":"ubuntu","arch":"x86_64","webUiAccessToken":"","sshAuthSock":"","display":"","tmpDir":"/tmp","platform":"linux","connectionToken":"1a1aa111-a1aa-111a-1111-aa1a1a1a111a"},"extInstallTime":239,"installUnpackCode":""}
[09:55:56.821] Persisting server connection details to /Users/[user]/Library/Application Support/Code/User/globalStorage/ms-vscode-remote.remote-ssh/vscode-ssh-host-0fdc06be-660393deaaa6d1996740ff4880f1bad43768c814-0.102.0/data.json
[09:55:56.826] Starting forwarding server. localPort 64392 -> socksPort 64384 -> remotePort 36127
[09:55:56.827] Forwarding server listening on 64392
[09:55:56.827] Waiting for ssh tunnel to be ready
[09:55:56.828] [Forwarding server 64392] Got connection 0
[09:55:56.829] Tunneled 36127 to local port 64392
[09:55:56.829] Resolved "ssh-remote+7b22686f73744e616d65223a22616b6f7379616b6f762d70617263656c64656d6f2d373476766964317a3762702e7673732e70642d7373682d6f75747075742e707265766965772e676974706f642d6465762e636f6d222c2275736572223a22616b6f7379616b6f762d70617263656c64656d6f2d373476766964317a376270227d" to "127.0.0.1:64392"
[09:55:56.837] ------




[09:55:56.866] [Forwarding server 64392] Got connection 1
[09:55:56.961] > local-server-2> ssh child died, shutting down
[09:55:56.961] Failed to set up socket for dynamic port forward to remote port 36127: Socket closed. Is the remote port correct?
[09:55:56.962] Failed to set up socket for dynamic port forward to remote port 36127: Socket closed. Is the remote port correct?
[09:55:56.966] Local server exit: 0

@akosyakov Found bug in https://github.com/microsoft/dev-tunnels-ssh that it omit SSH_MSG_CHANNEL_EXTENDED_DATA and throw error, will create a fix PR later today.

Which should make local-ssh x gateway works

[akosyakov]

@akosyakov Found bug in https://github.com/microsoft/dev-tunnels-ssh that it omit SSH_MSG_CHANNEL_EXTENDED_DATA and throw error, will create a fix PR later today.

@mustard-mh I checked it is the same with the tunnel but it works. I wonder whether maybe it works with all changes together now. Although if we resolved localhost hanging then exploring direct SSH is not a priority.

[mustard-mh]

@mustard-mh I checked it is the same with the tunnel but it works. I wonder whether maybe it works with all changes together now. Although if we resolved localhost hanging then exploring direct SSH is not a priority.

@akosyakov It's because golang lib doesn't ignore SSH_MSG_UNIMPLEMENTED as rfc said https://github.com/gitpod-io/golang-crypto/blob/master/ssh/messages.go#L844

When we use local-ssh x gateway, dev-tunnel will send SSH_MSG_UNIMPLEMENTED since it doesn't resolve SSH_MSG_CHANNEL_EXTENDED_DATA.

So we can fix it in golang-crypto or dev-tunnel

[iQQBot]

/unhold