Skip to content

fix(cli): use local ssh client for vm access#2442

Draft
LopatinDmitr wants to merge 1 commit into
mainfrom
fix/cli/remove-native-ssh-client
Draft

fix(cli): use local ssh client for vm access#2442
LopatinDmitr wants to merge 1 commit into
mainfrom
fix/cli/remove-native-ssh-client

Conversation

@LopatinDmitr
Copy link
Copy Markdown
Contributor

@LopatinDmitr LopatinDmitr commented Jun 3, 2026

Description

Remove the embedded native SSH/SCP implementation from the virtualization CLI.

d8 v ssh and d8 v scp now always use the local OpenSSH/SCP clients through d8 v port-forward --stdio=true as ProxyCommand.

This change also:

  • adds --ssh-opts for passing additional options to the local SSH/SCP client;
  • keeps --local-ssh as a deprecated no-op compatibility flag;
  • keeps --local-ssh-opts as a deprecated alias for extra SSH/SCP client options;
  • passes --identity-file/-i directly to OpenSSH/SCP as -i;
  • maps --known-hosts to OpenSSH UserKnownHostsFile;
  • updates CLI docs, user guides, and e2e helpers.

Why do we need it, and what problem does it solve?

The native SSH implementation does not fully match OpenSSH behavior.

One observed issue is authentication with an explicit identity file when SSH_AUTH_SOCK is set. The native client tries ssh-agent first. If the agent key is rejected, golang.org/x/crypto/ssh marks the publickey method as already tried and the explicitly provided --identity-file key is skipped. As a result, d8 v ssh -i <key> may fall back to password authentication or fail completely, while d8 v ssh --local-ssh -i <key> works.

Using local OpenSSH/SCP as the only implementation makes authentication behavior consistent with users' expectations and supports local OpenSSH configuration, agent behavior, certificates, and client options.

What is the expected result?

  1. Run d8 v ssh user@vm -i /path/to/key while SSH_AUTH_SOCK is set and contains unrelated keys.
  2. Verify that the command authenticates using the explicitly provided key through local OpenSSH.
  3. Run d8 v scp -i /path/to/key ./file user@vm:/tmp/file and verify that SCP uses the same local-client path.
  4. Run commands with deprecated --local-ssh or --local-ssh-opts and verify that they still work and print deprecation warnings.
  5. Run d8 v ssh user@vm --known-hosts /path/to/known_hosts and verify that OpenSSH uses it as UserKnownHostsFile.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: fix
summary: Use local OpenSSH and SCP clients for virtual machine SSH and SCP access.
impact_level: low

@LopatinDmitr LopatinDmitr added this to the v1.9.0 milestone Jun 3, 2026
@LopatinDmitr LopatinDmitr marked this pull request as draft June 3, 2026 13:59
@LopatinDmitr
fix(cli): use local ssh client for vm access
5969f19 
Use the local OpenSSH/SCP clients for VM access by default and remove the embedded native SSH/SCP implementation.

Keep --local-ssh and --local-ssh-opts as deprecated compatibility flags, add --ssh-opts for extra client options, and map --known-hosts to OpenSSH UserKnownHostsFile.

Signed-off-by: Dmitry Lopatin <dmitry.lopatin@flant.com>
@LopatinDmitr LopatinDmitr force-pushed the fix/cli/remove-native-ssh-client branch from ab8e42b to 5969f19 Compare June 3, 2026 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fl64 fl64 Awaiting requested review from fl64 fl64 is a code owner

@prismagod prismagod Awaiting requested review from prismagod prismagod is a code owner

@goganat goganat Awaiting requested review from goganat goganat is a code owner

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@LopatinDmitr LopatinDmitr

Labels

None yet

Projects

None yet

Milestone

v1.9.0

Development

Successfully merging this pull request may close these issues.

1 participant

@LopatinDmitr