Description
Summary
We should enhance the agent to use the same SSH key each time the workspace is restarted, so that users of Coder VPN (#14859) can SSH into their workspaces with no extra config steps.
I think it is acceptable to just use a hardcoded SSH key, since the Wireguard protocol routes packets based on the tunnel crypto keys, so anti-spoofing of the workspace is handled at this lower layer.
Background
Today we handle end user SSH connections with the Coder CLI, either directly with the coder ssh command, or indirectly by instructing the SSH process to start coder as a proxy command. In both these circumstances, we are able to configure the SSH client to ignore the fact that our workspace SSH server uses a different key each time the workspace is restarted. This is very non-standard, and a default configured SSH client will reject reconnection to the same workspace after a restart.
e.g.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:JKCBMANKUlybkSCoLMr9xgXkxftOaQrggR4NA0LK6j0.
Please contact your system administrator.
Add correct host key in C:\\Users\\micha/.ssh/known_hosts to get rid of this message.
Offending RSA key in C:\\Users\\micha/.ssh/known_hosts:4
Host key for [syncthing-dg.coder]:1 has changed and you have requested strict checking.
Host key verification failed.
If we want Coder VPN users to connect over SSH without special config, we need to use a consistent key.