Add SSH address for supplying external IP

Verify ssh host keys, when connecting to a remote server.
The first connection will prompt, if not in known_hosts.

Print IP instead of Port (when it is 22) for non-local SSH.
The field is still called LocalPort, even if is now remote.

Signed-off-by: Anders F Björklund <anders.f.bjorklund@gmail.com>

Author: afbjorklund

cmd/limactl/copy.go

@@ -257,7 +257,7 @@ func checkRsyncOnGuest(ctx context.Context, inst *limatype.Instance) bool {
 		logrus.Debugf("failed to create SSH executable: %v", err)
 		return false
 	}
-	sshOpts, err := sshutil.SSHOpts(ctx, sshExe, inst.Dir, *inst.Config.User.Name, false, false, false, false)
+	sshOpts, err := sshutil.SSHOpts(ctx, sshExe, inst.Dir, *inst.Config.User.Name, false, inst.SSHAddress, false, false, false)
 	if err != nil {
 		logrus.Debugf("failed to get SSH options for rsync check: %v", err)
 		return false
@@ -268,7 +268,7 @@ func checkRsyncOnGuest(ctx context.Context, inst *limatype.Instance) bool {
 	checkCmd.Args = append(checkCmd.Args, sshArgs...)
 	checkCmd.Args = append(checkCmd.Args,
 		"-p", fmt.Sprintf("%d", inst.SSHLocalPort),
-		fmt.Sprintf("%s@127.0.0.1", *inst.Config.User.Name),
+		fmt.Sprintf("%s@%s", *inst.Config.User.Name, inst.SSHAddress),
 		"command -v rsync >/dev/null 2>&1",
 	)
 
@@ -297,14 +297,18 @@ func scpCommand(ctx context.Context, command string, copyPaths []*copyPath, verb
 		return nil, err
 	}
 	legacySSH := sshutil.DetectOpenSSHVersion(ctx, sshExeForVersion).LessThan(*semver.New("8.0.0"))
+	localhostOnly := true
 
 	for _, cp := range copyPaths {
 		if cp.isRemote {
 			if legacySSH {
 				scpFlags = append(scpFlags, "-P", fmt.Sprintf("%d", cp.instance.SSHLocalPort))
-				scpArgs = append(scpArgs, fmt.Sprintf("%s@127.0.0.1:%s", *cp.instance.Config.User.Name, cp.path))
+				scpArgs = append(scpArgs, fmt.Sprintf("%s@%s:%s", *cp.instance.Config.User.Name, cp.instance.SSHAddress, cp.path))
 			} else {
-				scpArgs = append(scpArgs, fmt.Sprintf("scp://%s@127.0.0.1:%d/%s", *cp.instance.Config.User.Name, cp.instance.SSHLocalPort, cp.path))
+				scpArgs = append(scpArgs, fmt.Sprintf("scp://%s@%s:%d/%s", *cp.instance.Config.User.Name, cp.instance.SSHAddress, cp.instance.SSHLocalPort, cp.path))
+			}
+			if !sshutil.IsLocalhost(cp.instance.SSHAddress) {
+				localhostOnly = false
 			}
 			instances[cp.instanceName] = cp.instance
 		} else {
@@ -329,7 +333,7 @@ func scpCommand(ctx context.Context, command string, copyPaths []*copyPath, verb
 			if err != nil {
 				return nil, err
 			}
-			sshOpts, err = sshutil.SSHOpts(ctx, sshExe, inst.Dir, *inst.Config.User.Name, false, false, false, false)
+			sshOpts, err = sshutil.SSHOpts(ctx, sshExe, inst.Dir, *inst.Config.User.Name, false, inst.SSHAddress, false, false, false)
 			if err != nil {
 				return nil, err
 			}
@@ -340,7 +344,7 @@ func scpCommand(ctx context.Context, command string, copyPaths []*copyPath, verb
 		if err != nil {
 			return nil, err
 		}
-		sshOpts, err = sshutil.CommonOpts(ctx, sshExe, false)
+		sshOpts, err = sshutil.CommonOpts(ctx, sshExe, false, localhostOnly)
 		if err != nil {
 			return nil, err
 		}
@@ -377,7 +381,7 @@ func rsyncCommand(ctx context.Context, command string, copyPaths []*copyPath, ve
 				if err != nil {
 					return nil, err
 				}
-				sshOpts, err := sshutil.SSHOpts(ctx, sshExe, cp.instance.Dir, *cp.instance.Config.User.Name, false, false, false, false)
+				sshOpts, err := sshutil.SSHOpts(ctx, sshExe, cp.instance.Dir, *cp.instance.Config.User.Name, false, cp.instance.SSHAddress, false, false, false)
 				if err != nil {
 					return nil, err
 				}
@@ -394,7 +398,7 @@ func rsyncCommand(ctx context.Context, command string, copyPaths []*copyPath, ve
 
 	for _, cp := range copyPaths {
 		if cp.isRemote {
-			rsyncArgs = append(rsyncArgs, fmt.Sprintf("%s@127.0.0.1:%s", *cp.instance.Config.User.Name, cp.path))
+			rsyncArgs = append(rsyncArgs, fmt.Sprintf("%s@%s:%s", *cp.instance.Config.User.Name, cp.instance.SSHAddress, cp.path))
 		} else {
 			rsyncArgs = append(rsyncArgs, cp.path)
 		}

cmd/limactl/shell.go

@@ -230,6 +230,7 @@ func shellAction(cmd *cobra.Command, args []string) error {
 		inst.Dir,
 		*inst.Config.User.Name,
 		*inst.Config.SSH.LoadDotSSHPubKeys,
+		*inst.Config.SSH.Address,
 		*inst.Config.SSH.ForwardAgent,
 		*inst.Config.SSH.ForwardX11,
 		*inst.Config.SSH.ForwardX11Trusted)

cmd/limactl/show-ssh.go

@@ -103,13 +103,14 @@ func showSSHAction(cmd *cobra.Command, args []string) error {
 		inst.Dir,
 		*inst.Config.User.Name,
 		*inst.Config.SSH.LoadDotSSHPubKeys,
+		*inst.Config.SSH.Address,
 		*inst.Config.SSH.ForwardAgent,
 		*inst.Config.SSH.ForwardX11,
 		*inst.Config.SSH.ForwardX11Trusted)
 	if err != nil {
 		return err
 	}
-	opts = append(opts, "Hostname=127.0.0.1")
+	opts = append(opts, fmt.Sprintf("Hostname=%s", inst.SSHAddress))
 	opts = append(opts, fmt.Sprintf("Port=%d", inst.SSHLocalPort))
 	return sshutil.Format(w, "ssh", instName, format, opts)
 }

cmd/limactl/tunnel.go

@@ -95,6 +95,7 @@ func tunnelAction(cmd *cobra.Command, args []string) error {
 		inst.Dir,
 		*inst.Config.User.Name,
 		*inst.Config.SSH.LoadDotSSHPubKeys,
+		*inst.Config.SSH.Address,
 		*inst.Config.SSH.ForwardAgent,
 		*inst.Config.SSH.ForwardX11,
 		*inst.Config.SSH.ForwardX11Trusted)

pkg/cidata/cidata.go

@@ -38,7 +38,8 @@ import (
 )
 
 var netLookupIP = func(host string) []net.IP {
-	ips, err := net.LookupIP(host)
+	ctx := context.Background()
+	ips, err := net.DefaultResolver.LookupIP(ctx, "ip", host)
 	if err != nil {
 		logrus.Debugf("net.LookupIP %s: %s", host, err)
 		return nil

pkg/hostagent/events/events.go

@@ -16,7 +16,8 @@ type Status struct {
 
 	Errors []string `json:"errors,omitempty"`
 
-	SSHLocalPort int `json:"sshLocalPort,omitempty"`
+	SSHIPAddress string `json:"sshIPAddress,omitempty"`
+	SSHLocalPort int    `json:"sshLocalPort,omitempty"`
 
 	// Cloud-init progress information
 	CloudInitProgress *CloudInitProgress `json:"cloudInitProgress,omitempty"`

pkg/hostagent/hostagent.go

@@ -137,7 +137,7 @@ func New(ctx context.Context, instName string, stdout io.Writer, signalCh chan o
 	}
 
 	// inst.Config is loaded with FillDefault() already, so no need to care about nil pointers.
-	sshLocalPort, err := determineSSHLocalPort(*inst.Config.SSH.LocalPort, instName, limaVersion)
+	sshLocalPort, err := determineSSHLocalPort(*inst.Config.SSH.Address, *inst.Config.SSH.LocalPort, instName, limaVersion)
 	if err != nil {
 		return nil, err
 	}
@@ -189,6 +189,7 @@ func New(ctx context.Context, instName string, stdout io.Writer, signalCh chan o
 		inst.Dir,
 		*inst.Config.User.Name,
 		*inst.Config.SSH.LoadDotSSHPubKeys,
+		*inst.Config.SSH.Address,
 		*inst.Config.SSH.ForwardAgent,
 		*inst.Config.SSH.ForwardX11,
 		*inst.Config.SSH.ForwardX11Trusted)
@@ -244,7 +245,7 @@ func New(ctx context.Context, instName string, stdout io.Writer, signalCh chan o
 		instName:          instName,
 		instSSHAddress:    inst.SSHAddress,
 		sshConfig:         sshConfig,
-		portForwarder:     newPortForwarder(sshConfig, sshLocalPort, rules, ignoreTCP, inst.VMType),
+		portForwarder:     newPortForwarder(sshConfig, inst.SSHAddress, sshLocalPort, rules, ignoreTCP, inst.VMType),
 		grpcPortForwarder: portfwd.NewPortForwarder(rules, ignoreTCP, ignoreUDP),
 		driver:            limaDriver,
 		signalCh:          signalCh,
@@ -290,13 +291,16 @@ func writeSSHConfigFile(sshPath, instName, instDir, instSSHAddress string, sshLo
 	return os.WriteFile(fileName, b.Bytes(), 0o600)
 }
 
-func determineSSHLocalPort(confLocalPort int, instName, limaVersion string) (int, error) {
+func determineSSHLocalPort(confSSHAddress string, confLocalPort int, instName, limaVersion string) (int, error) {
 	if confLocalPort > 0 {
 		return confLocalPort, nil
 	}
 	if confLocalPort < 0 {
 		return 0, fmt.Errorf("invalid ssh local port %d", confLocalPort)
 	}
+	if confLocalPort == 0 && confSSHAddress != "127.0.0.1" {
+		return 22, nil
+	}
 	if versionutil.LessThan(limaVersion, "2.0.0") && instName == "default" {
 		// use hard-coded value for "default" instance, for backward compatibility
 		return 60022, nil
@@ -445,8 +449,22 @@ func (a *HostAgent) Run(ctx context.Context) error {
 	return a.startRoutinesAndWait(ctx, errCh)
 }
 
+func getIP(address string) string {
+	ip := net.ParseIP(address)
+	if ip != nil {
+		return address
+	}
+	ctx := context.Background()
+	ips, err := net.DefaultResolver.LookupIP(ctx, "ip", address)
+	if err == nil && len(ips) > 0 {
+		return ips[0].String()
+	}
+	return address
+}
+
 func (a *HostAgent) startRoutinesAndWait(ctx context.Context, errCh <-chan error) error {
 	stBase := events.Status{
+		SSHIPAddress: getIP(a.instSSHAddress),
 		SSHLocalPort: a.sshLocalPort,
 	}
 	stBooting := stBase
@@ -639,7 +657,7 @@ func (a *HostAgent) watchGuestAgentEvents(ctx context.Context) {
 		for _, rule := range a.instConfig.PortForwards {
 			if rule.GuestSocket != "" {
 				local := hostAddress(rule, &guestagentapi.IPPort{})
-				_ = forwardSSH(ctx, a.sshConfig, a.sshLocalPort, local, rule.GuestSocket, verbForward, rule.Reverse)
+				_ = forwardSSH(ctx, a.sshConfig, a.instSSHAddress, a.sshLocalPort, local, rule.GuestSocket, verbForward, rule.Reverse)
 			}
 		}
 	}
@@ -654,13 +672,13 @@ func (a *HostAgent) watchGuestAgentEvents(ctx context.Context) {
 			if rule.GuestSocket != "" {
 				local := hostAddress(rule, &guestagentapi.IPPort{})
 				// using ctx.Background() because ctx has already been cancelled
-				if err := forwardSSH(context.Background(), a.sshConfig, a.sshLocalPort, local, rule.GuestSocket, verbCancel, rule.Reverse); err != nil {
+				if err := forwardSSH(context.Background(), a.sshConfig, a.instSSHAddress, a.sshLocalPort, local, rule.GuestSocket, verbCancel, rule.Reverse); err != nil {
 					errs = append(errs, err)
 				}
 			}
 		}
 		if a.driver.ForwardGuestAgent() {
-			if err := forwardSSH(context.Background(), a.sshConfig, a.sshLocalPort, localUnix, remoteUnix, verbCancel, false); err != nil {
+			if err := forwardSSH(context.Background(), a.sshConfig, a.instSSHAddress, a.sshLocalPort, localUnix, remoteUnix, verbCancel, false); err != nil {
 				errs = append(errs, err)
 			}
 		}
@@ -671,7 +689,7 @@ func (a *HostAgent) watchGuestAgentEvents(ctx context.Context) {
 		if a.instConfig.MountInotify != nil && *a.instConfig.MountInotify {
 			if a.client == nil || !isGuestAgentSocketAccessible(ctx, a.client) {
 				if a.driver.ForwardGuestAgent() {
-					_ = forwardSSH(ctx, a.sshConfig, a.sshLocalPort, localUnix, remoteUnix, verbForward, false)
+					_ = forwardSSH(ctx, a.sshConfig, a.instSSHAddress, a.sshLocalPort, localUnix, remoteUnix, verbForward, false)
 				}
 			}
 			err := a.startInotify(ctx)
@@ -687,7 +705,7 @@ func (a *HostAgent) watchGuestAgentEvents(ctx context.Context) {
 	for {
 		if a.client == nil || !isGuestAgentSocketAccessible(ctx, a.client) {
 			if a.driver.ForwardGuestAgent() {
-				_ = forwardSSH(ctx, a.sshConfig, a.sshLocalPort, localUnix, remoteUnix, verbForward, false)
+				_ = forwardSSH(ctx, a.sshConfig, a.instSSHAddress, a.sshLocalPort, localUnix, remoteUnix, verbForward, false)
 			}
 		}
 		client, err := a.getOrCreateClient(ctx)
@@ -721,7 +739,7 @@ func (a *HostAgent) addStaticPortForwardsFromList(ctx context.Context, staticPor
 			local, remote := a.portForwarder.forwardingAddresses(guest)
 			if local != "" {
 				logrus.Infof("Setting up static TCP forwarding from %s to %s", remote, local)
-				if err := forwardTCP(ctx, a.sshConfig, a.sshLocalPort, local, remote, verbForward); err != nil {
+				if err := forwardTCP(ctx, a.sshConfig, a.instSSHAddress, a.sshLocalPort, local, remote, verbForward); err != nil {
 					logrus.WithError(err).Warnf("failed to set up static TCP forwarding %s -> %s", remote, local)
 				}
 			}
@@ -831,11 +849,11 @@ const (
 	verbCancel  = "cancel"
 )
 
-func executeSSH(ctx context.Context, sshConfig *ssh.SSHConfig, port int, command ...string) error {
+func executeSSH(ctx context.Context, sshConfig *ssh.SSHConfig, addr string, port int, command ...string) error {
 	args := sshConfig.Args()
 	args = append(args,
 		"-p", strconv.Itoa(port),
-		"127.0.0.1",
+		addr,
 		"--",
 	)
 	args = append(args, command...)
@@ -846,7 +864,7 @@ func executeSSH(ctx context.Context, sshConfig *ssh.SSHConfig, port int, command
 	return nil
 }
 
-func forwardSSH(ctx context.Context, sshConfig *ssh.SSHConfig, port int, local, remote, verb string, reverse bool) error {
+func forwardSSH(ctx context.Context, sshConfig *ssh.SSHConfig, addr string, port int, local, remote, verb string, reverse bool) error {
 	args := sshConfig.Args()
 	args = append(args,
 		"-T",
@@ -865,15 +883,15 @@ func forwardSSH(ctx context.Context, sshConfig *ssh.SSHConfig, port int, local,
 		"-N",
 		"-f",
 		"-p", strconv.Itoa(port),
-		"127.0.0.1",
+		addr,
 		"--",
 	)
 	if strings.HasPrefix(local, "/") {
 		switch verb {
 		case verbForward:
 			if reverse {
 				logrus.Infof("Forwarding %q (host) to %q (guest)", local, remote)
-				if err := executeSSH(ctx, sshConfig, port, "rm", "-f", remote); err != nil {
+				if err := executeSSH(ctx, sshConfig, addr, port, "rm", "-f", remote); err != nil {
 					logrus.WithError(err).Warnf("Failed to clean up %q (guest) before setting up forwarding", remote)
 				}
 			} else {
@@ -888,7 +906,7 @@ func forwardSSH(ctx context.Context, sshConfig *ssh.SSHConfig, port int, local,
 		case verbCancel:
 			if reverse {
 				logrus.Infof("Stopping forwarding %q (host) to %q (guest)", local, remote)
-				if err := executeSSH(ctx, sshConfig, port, "rm", "-f", remote); err != nil {
+				if err := executeSSH(ctx, sshConfig, addr, port, "rm", "-f", remote); err != nil {
 					logrus.WithError(err).Warnf("Failed to clean up %q (guest) after stopping forwarding", remote)
 				}
 			} else {
@@ -909,7 +927,7 @@ func forwardSSH(ctx context.Context, sshConfig *ssh.SSHConfig, port int, local,
 		if verb == verbForward && strings.HasPrefix(local, "/") {
 			if reverse {
 				logrus.WithError(err).Warnf("Failed to set up forward from %q (host) to %q (guest)", local, remote)
-				if err := executeSSH(ctx, sshConfig, port, "rm", "-f", remote); err != nil {
+				if err := executeSSH(ctx, sshConfig, addr, port, "rm", "-f", remote); err != nil {
 					logrus.WithError(err).Warnf("Failed to clean up %q (guest) after forwarding failed", remote)
 				}
 			} else {

pkg/hostagent/mount.go

@@ -65,7 +65,7 @@ func (a *HostAgent) setupMount(ctx context.Context, m limatype.Mount) (*mount, e
 		Driver:              *m.SSHFS.SFTPDriver,
 		SSHConfig:           a.sshConfig,
 		LocalPath:           resolvedLocation,
-		Host:                "127.0.0.1",
+		Host:                a.instSSHAddress,
 		Port:                a.sshLocalPort,
 		RemotePath:          *m.MountPoint,
 		Readonly:            !(*m.Writable),

pkg/hostagent/port.go

@@ -17,6 +17,7 @@ import (
 
 type portForwarder struct {
 	sshConfig   *ssh.SSHConfig
+	sshHostAddr string
 	sshHostPort int
 	rules       []limatype.PortForward
 	ignore      bool
@@ -27,9 +28,10 @@ const sshGuestPort = 22
 
 var IPv4loopback1 = limayaml.IPv4loopback1
 
-func newPortForwarder(sshConfig *ssh.SSHConfig, sshHostPort int, rules []limatype.PortForward, ignore bool, vmType limatype.VMType) *portForwarder {
+func newPortForwarder(sshConfig *ssh.SSHConfig, sshHostAddr string, sshHostPort int, rules []limatype.PortForward, ignore bool, vmType limatype.VMType) *portForwarder {
 	return &portForwarder{
 		sshConfig:   sshConfig,
+		sshHostAddr: sshHostAddr,
 		sshHostPort: sshHostPort,
 		rules:       rules,
 		ignore:      ignore,
@@ -96,7 +98,7 @@ func (pf *portForwarder) OnEvent(ctx context.Context, ev *api.Event) {
 			continue
 		}
 		logrus.Infof("Stopping forwarding TCP from %s to %s", remote, local)
-		if err := forwardTCP(ctx, pf.sshConfig, pf.sshHostPort, local, remote, verbCancel); err != nil {
+		if err := forwardTCP(ctx, pf.sshConfig, pf.sshHostAddr, pf.sshHostPort, local, remote, verbCancel); err != nil {
 			logrus.WithError(err).Warnf("failed to stop forwarding tcp port %d", f.Port)
 		}
 	}
@@ -112,7 +114,7 @@ func (pf *portForwarder) OnEvent(ctx context.Context, ev *api.Event) {
 			continue
 		}
 		logrus.Infof("Forwarding TCP from %s to %s", remote, local)
-		if err := forwardTCP(ctx, pf.sshConfig, pf.sshHostPort, local, remote, verbForward); err != nil {
+		if err := forwardTCP(ctx, pf.sshConfig, pf.sshHostAddr, pf.sshHostPort, local, remote, verbForward); err != nil {
 			logrus.WithError(err).Warnf("failed to set up forwarding tcp port %d (negligible if already forwarded)", f.Port)
 		}
 	}

pkg/hostagent/port_darwin.go

@@ -20,9 +20,9 @@ import (
 )
 
 // forwardTCP is not thread-safe.
-func forwardTCP(ctx context.Context, sshConfig *ssh.SSHConfig, port int, local, remote, verb string) error {
+func forwardTCP(ctx context.Context, sshConfig *ssh.SSHConfig, addr string, port int, local, remote, verb string) error {
 	if strings.HasPrefix(local, "/") {
-		return forwardSSH(ctx, sshConfig, port, local, remote, verb, false)
+		return forwardSSH(ctx, sshConfig, addr, port, local, remote, verb, false)
 	}
 	localIPStr, localPortStr, err := net.SplitHostPort(local)
 	if err != nil {
@@ -35,7 +35,7 @@ func forwardTCP(ctx context.Context, sshConfig *ssh.SSHConfig, port int, local,
 	}
 
 	if !localIP.Equal(IPv4loopback1) || localPort >= 1024 {
-		return forwardSSH(ctx, sshConfig, port, local, remote, verb, false)
+		return forwardSSH(ctx, sshConfig, addr, port, local, remote, verb, false)
 	}
 
 	// on macOS, listening on 127.0.0.1:80 requires root while 0.0.0.0:80 does not require root.
@@ -50,7 +50,7 @@ func forwardTCP(ctx context.Context, sshConfig *ssh.SSHConfig, port int, local,
 			localUnix := plf.unixAddr.Name
 			_ = plf.Close()
 			delete(pseudoLoopbackForwarders, local)
-			if err := forwardSSH(ctx, sshConfig, port, localUnix, remote, verb, false); err != nil {
+			if err := forwardSSH(ctx, sshConfig, addr, port, localUnix, remote, verb, false); err != nil {
 				return err
 			}
 		} else {
@@ -65,12 +65,12 @@ func forwardTCP(ctx context.Context, sshConfig *ssh.SSHConfig, port int, local,
 	}
 	localUnix := filepath.Join(localUnixDir, "sock")
 	logrus.Debugf("forwarding %q to %q", localUnix, remote)
-	if err := forwardSSH(ctx, sshConfig, port, localUnix, remote, verb, false); err != nil {
+	if err := forwardSSH(ctx, sshConfig, addr, port, localUnix, remote, verb, false); err != nil {
 		return err
 	}
 	plf, err := newPseudoLoopbackForwarder(localPort, localUnix)
 	if err != nil {
-		if cancelErr := forwardSSH(ctx, sshConfig, port, localUnix, remote, verbCancel, false); cancelErr != nil {
+		if cancelErr := forwardSSH(ctx, sshConfig, addr, port, localUnix, remote, verbCancel, false); cancelErr != nil {
 			logrus.WithError(cancelErr).Warnf("failed to cancel forwarding %q to %q", localUnix, remote)
 		}
 		return err