ssh/tailssh: fall back to using su when no TTY available on Linux

This allows pam authentication to run for ssh sessions, triggering
automation like pam_mkhomedir.

Updates #11854

Signed-off-by: Percy Wegmann <percy@tailscale.com>
This commit is contained in:
Percy Wegmann 2024-05-29 12:51:50 -05:00 committed by Percy Wegmann
parent f1d10c12ac
commit 08a9551a73
9 changed files with 632 additions and 260 deletions

View File

@ -115,10 +115,7 @@ sshintegrationtest: ## Run the SSH integration tests in various Docker container
echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \ echo "Testing on ubuntu:focal" && docker build --build-arg="BASE=ubuntu:focal" -t ssh-ubuntu-focal ssh/tailssh/testcontainers && \
echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \ echo "Testing on ubuntu:jammy" && docker build --build-arg="BASE=ubuntu:jammy" -t ssh-ubuntu-jammy ssh/tailssh/testcontainers && \
echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \ echo "Testing on ubuntu:mantic" && docker build --build-arg="BASE=ubuntu:mantic" -t ssh-ubuntu-mantic ssh/tailssh/testcontainers && \
echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers && \ echo "Testing on ubuntu:noble" && docker build --build-arg="BASE=ubuntu:noble" -t ssh-ubuntu-noble ssh/tailssh/testcontainers
echo "Testing on fedora:38" && docker build --build-arg="BASE=dokken/fedora-38" -t ssh-fedora-38 ssh/tailssh/testcontainers && \
echo "Testing on fedora:39" && docker build --build-arg="BASE=dokken/fedora-39" -t ssh-fedora-39 ssh/tailssh/testcontainers && \
echo "Testing on fedora:40" && docker build --build-arg="BASE=dokken/fedora-40" -t ssh-fedora-40 ssh/tailssh/testcontainers
help: ## Show this help help: ## Show this help
@echo "\nSpecify a command. The choices are:\n" @echo "\nSpecify a command. The choices are:\n"

1
go.mod
View File

@ -14,6 +14,7 @@ require (
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.64 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.64
github.com/aws/aws-sdk-go-v2/service/s3 v1.33.0 github.com/aws/aws-sdk-go-v2/service/s3 v1.33.0
github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7 github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7
github.com/bramvdbogaerde/go-scp v1.4.0
github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6
github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
github.com/creack/pty v1.1.21 github.com/creack/pty v1.1.21

2
go.sum
View File

@ -177,6 +177,8 @@ github.com/blizzy78/varnamelen v0.8.0 h1:oqSblyuQvFsW1hbBHh1zfwrKe3kcSj0rnXkKzsQ
github.com/blizzy78/varnamelen v0.8.0/go.mod h1:V9TzQZ4fLJ1DSrjVDfl89H7aMnTvKkApdHeyESmyR7k= github.com/blizzy78/varnamelen v0.8.0/go.mod h1:V9TzQZ4fLJ1DSrjVDfl89H7aMnTvKkApdHeyESmyR7k=
github.com/bombsimon/wsl/v3 v3.4.0 h1:RkSxjT3tmlptwfgEgTgU+KYKLI35p/tviNXNXiL2aNU= github.com/bombsimon/wsl/v3 v3.4.0 h1:RkSxjT3tmlptwfgEgTgU+KYKLI35p/tviNXNXiL2aNU=
github.com/bombsimon/wsl/v3 v3.4.0/go.mod h1:KkIB+TXkqy6MvK9BDZVbZxKNYsE1/oLRJbIFtf14qqo= github.com/bombsimon/wsl/v3 v3.4.0/go.mod h1:KkIB+TXkqy6MvK9BDZVbZxKNYsE1/oLRJbIFtf14qqo=
github.com/bramvdbogaerde/go-scp v1.4.0 h1:jKMwpwCbcX1KyvDbm/PDJuXcMuNVlLGi0Q0reuzjyKY=
github.com/bramvdbogaerde/go-scp v1.4.0/go.mod h1:on2aH5AxaFb2G0N5Vsdy6B0Ml7k9HuHSwfo1y0QzAbQ=
github.com/breml/bidichk v0.2.4 h1:i3yedFWWQ7YzjdZJHnPo9d/xURinSq3OM+gyM43K4/8= github.com/breml/bidichk v0.2.4 h1:i3yedFWWQ7YzjdZJHnPo9d/xURinSq3OM+gyM43K4/8=
github.com/breml/bidichk v0.2.4/go.mod h1:7Zk0kRFt1LIZxtQdl9W9JwGAcLTTkOs+tN7wuEYGJ3s= github.com/breml/bidichk v0.2.4/go.mod h1:7Zk0kRFt1LIZxtQdl9W9JwGAcLTTkOs+tN7wuEYGJ3s=
github.com/breml/errchkjson v0.3.1 h1:hlIeXuspTyt8Y/UmP5qy1JocGNR00KQHgfaNtRAjoxQ= github.com/breml/errchkjson v0.3.1 h1:hlIeXuspTyt8Y/UmP5qy1JocGNR00KQHgfaNtRAjoxQ=

View File

@ -36,6 +36,7 @@
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
"tailscale.com/cmd/tailscaled/childproc" "tailscale.com/cmd/tailscaled/childproc"
"tailscale.com/hostinfo" "tailscale.com/hostinfo"
"tailscale.com/tailcfg"
"tailscale.com/tempfork/gliderlabs/ssh" "tailscale.com/tempfork/gliderlabs/ssh"
"tailscale.com/types/logger" "tailscale.com/types/logger"
"tailscale.com/version/distro" "tailscale.com/version/distro"
@ -43,18 +44,22 @@
func init() { func init() {
childproc.Add("ssh", beIncubator) childproc.Add("ssh", beIncubator)
childproc.Add("sftp", beSFTP)
} }
var ptyName = func(f *os.File) (string, error) { var ptyName = func(f *os.File) (string, error) {
return "", fmt.Errorf("unimplemented") return "", fmt.Errorf("unimplemented")
} }
// maybeStartLoginSession starts a new login session for the specified UID. // maybeStartLoginSession informs the system that we are about to log someone
// On success, it may return a non-nil close func which must be closed to // in. On success, it may return a non-nil close func which must be closed to
// release the session. // release the session.
// We can only do this if we are running as root.
// This is best effort to still allow running on machines where
// we don't support starting sessions, e.g. darwin.
// See maybeStartLoginSessionLinux. // See maybeStartLoginSessionLinux.
var maybeStartLoginSession = func(logf logger.Logf, ia incubatorArgs) (close func() error, err error) { var maybeStartLoginSession = func(dlogf logger.Logf, ia incubatorArgs) (close func() error) {
return nil, nil return nil
} }
// newIncubatorCommand returns a new exec.Cmd configured with // newIncubatorCommand returns a new exec.Cmd configured with
@ -64,40 +69,39 @@ func init() {
// exec.CommandContext. // exec.CommandContext.
// //
// The returned Cmd.Env is guaranteed to be nil; the caller populates it. // The returned Cmd.Env is guaranteed to be nil; the caller populates it.
func (ss *sshSession) newIncubatorCommand() (cmd *exec.Cmd) { func (ss *sshSession) newIncubatorCommand(logf logger.Logf) (cmd *exec.Cmd, err error) {
defer func() { defer func() {
if cmd.Env != nil { if cmd.Env != nil {
panic("internal error") panic("internal error")
} }
}() }()
var (
name string var isSFTP, isShell bool
args []string
isSFTP bool
isShell bool
)
switch ss.Subsystem() { switch ss.Subsystem() {
case "sftp": case "sftp":
isSFTP = true isSFTP = true
case "": case "":
name = ss.conn.localUser.LoginShell() isShell = ss.RawCommand() == ""
if rawCmd := ss.RawCommand(); rawCmd != "" {
args = append(args, "-c", rawCmd)
} else {
isShell = true
args = append(args, "-l") // login shell
}
default: default:
panic(fmt.Sprintf("unexpected subsystem: %v", ss.Subsystem())) panic(fmt.Sprintf("unexpected subsystem: %v", ss.Subsystem()))
} }
if ss.conn.srv.tailscaledPath == "" { if ss.conn.srv.tailscaledPath == "" {
// TODO(maisem): this doesn't work with sftp if isSFTP {
return exec.CommandContext(ss.ctx, name, args...) // SFTP relies on the embedded Go-based SFTP server in tailscaled,
// so without tailscaled, we can't serve SFTP.
return nil, errors.New("no tailscaled found on path, can't serve SFTP")
} }
loginShell := ss.conn.localUser.LoginShell()
args := shellArgs(isShell, ss.RawCommand())
logf("directly running %s %q", loginShell, args)
return exec.CommandContext(ss.ctx, loginShell, args...), nil
}
lu := ss.conn.localUser lu := ss.conn.localUser
ci := ss.conn.info ci := ss.conn.info
gids := strings.Join(ss.conn.userGroupIDs, ",") groups := strings.Join(ss.conn.userGroupIDs, ",")
remoteUser := ci.uprof.LoginName remoteUser := ci.uprof.LoginName
if ci.node.IsTagged() { if ci.node.IsTagged() {
remoteUser = strings.Join(ci.node.Tags().AsSlice(), ",") remoteUser = strings.Join(ci.node.Tags().AsSlice(), ",")
@ -106,9 +110,10 @@ func (ss *sshSession) newIncubatorCommand() (cmd *exec.Cmd) {
incubatorArgs := []string{ incubatorArgs := []string{
"be-child", "be-child",
"ssh", "ssh",
"--login-shell=" + lu.LoginShell(),
"--uid=" + lu.Uid, "--uid=" + lu.Uid,
"--gid=" + lu.Gid, "--gid=" + lu.Gid,
"--groups=" + gids, "--groups=" + groups,
"--local-user=" + lu.Username, "--local-user=" + lu.Username,
"--remote-user=" + remoteUser, "--remote-user=" + remoteUser,
"--remote-ip=" + ci.src.Addr().String(), "--remote-ip=" + ci.src.Addr().String(),
@ -116,39 +121,31 @@ func (ss *sshSession) newIncubatorCommand() (cmd *exec.Cmd) {
"--tty-name=", // updated in-place by startWithPTY "--tty-name=", // updated in-place by startWithPTY
} }
forceV1Behavior := ss.conn.srv.lb.NetMap().HasCap(tailcfg.NodeAttrSSHBehaviorV1)
if forceV1Behavior {
incubatorArgs = append(incubatorArgs, "--force-v1-behavior")
}
if debugTest.Load() { if debugTest.Load() {
incubatorArgs = append(incubatorArgs, "--debug-test") incubatorArgs = append(incubatorArgs, "--debug-test")
} }
if isSFTP { switch {
incubatorArgs = append(incubatorArgs, "--sftp") case isSFTP:
} else { // Note that we include both the `--sftp` flag and a command to launch
if isShell { // tailscaled as `be-child sftp`. If login or su is available, and
// we're not running with tailcfg.NodeAttrSSHBehaviorV1, this will
// result in serving SFTP within a login shell, with full PAM
// integration. Otherwise, we'll serve SFTP in the incubator process
// with no PAM integration.
incubatorArgs = append(incubatorArgs, "--sftp", fmt.Sprintf("--cmd=%s be-child sftp", ss.conn.srv.tailscaledPath))
case isShell:
incubatorArgs = append(incubatorArgs, "--shell") incubatorArgs = append(incubatorArgs, "--shell")
default:
incubatorArgs = append(incubatorArgs, "--cmd="+ss.RawCommand())
} }
// Only the macOS version of the login command supports executing a
// command, all other versions only support launching a shell return exec.CommandContext(ss.ctx, ss.conn.srv.tailscaledPath, incubatorArgs...), nil
// without taking any arguments.
shouldUseLoginCmd := isShell || runtime.GOOS == "darwin"
if hostinfo.IsSELinuxEnforcing() {
// If we're running on a SELinux-enabled system, the login
// command will be unable to set the correct context for the
// shell. Fall back to using the incubator to launch the shell.
// See http://github.com/tailscale/tailscale/issues/4908.
shouldUseLoginCmd = false
}
if shouldUseLoginCmd {
if lp, err := exec.LookPath("login"); err == nil {
incubatorArgs = append(incubatorArgs, "--login-cmd="+lp)
}
}
incubatorArgs = append(incubatorArgs, "--cmd="+name)
if len(args) > 0 {
incubatorArgs = append(incubatorArgs, "--")
incubatorArgs = append(incubatorArgs, args...)
}
}
return exec.CommandContext(ss.ctx, ss.conn.srv.tailscaledPath, incubatorArgs...)
} }
var debugIncubator bool var debugIncubator bool
@ -170,51 +167,60 @@ func (stdRWC) Close() error {
} }
type incubatorArgs struct { type incubatorArgs struct {
loginShell string
uid int uid int
gid int gid int
groups string gids []int
localUser string localUser string
remoteUser string remoteUser string
remoteIP string remoteIP string
ttyName string ttyName string
hasTTY bool hasTTY bool
cmdName string cmd string
isSFTP bool isSFTP bool
isShell bool isShell bool
loginCmdPath string forceV1Behavior bool
cmdArgs []string
debugTest bool debugTest bool
} }
func parseIncubatorArgs(args []string) (a incubatorArgs) { func parseIncubatorArgs(args []string) (incubatorArgs, error) {
var ia incubatorArgs
var groups string
flags := flag.NewFlagSet("", flag.ExitOnError) flags := flag.NewFlagSet("", flag.ExitOnError)
flags.IntVar(&a.uid, "uid", 0, "the uid of local-user") flags.StringVar(&ia.loginShell, "login-shell", "", "path to the user's preferred login shell")
flags.IntVar(&a.gid, "gid", 0, "the gid of local-user") flags.IntVar(&ia.uid, "uid", 0, "the uid of local-user")
flags.StringVar(&a.groups, "groups", "", "comma-separated list of gids of local-user") flags.IntVar(&ia.gid, "gid", 0, "the gid of local-user")
flags.StringVar(&a.localUser, "local-user", "", "the user to run as") flags.StringVar(&groups, "groups", "", "comma-separated list of gids of local-user")
flags.StringVar(&a.remoteUser, "remote-user", "", "the remote user/tags") flags.StringVar(&ia.localUser, "local-user", "", "the user to run as")
flags.StringVar(&a.remoteIP, "remote-ip", "", "the remote Tailscale IP") flags.StringVar(&ia.remoteUser, "remote-user", "", "the remote user/tags")
flags.StringVar(&a.ttyName, "tty-name", "", "the tty name (pts/3)") flags.StringVar(&ia.remoteIP, "remote-ip", "", "the remote Tailscale IP")
flags.BoolVar(&a.hasTTY, "has-tty", false, "is the output attached to a tty") flags.StringVar(&ia.ttyName, "tty-name", "", "the tty name (pts/3)")
flags.StringVar(&a.cmdName, "cmd", "", "the cmd to launch (ignored in sftp mode)") flags.BoolVar(&ia.hasTTY, "has-tty", false, "is the output attached to a tty")
flags.BoolVar(&a.isShell, "shell", false, "is launching a shell (with no cmds)") flags.StringVar(&ia.cmd, "cmd", "", "the cmd to launch, including all arguments (ignored in sftp mode)")
flags.BoolVar(&a.isSFTP, "sftp", false, "run sftp server (cmd is ignored)") flags.BoolVar(&ia.isShell, "shell", false, "is launching a shell (with no cmds)")
flags.StringVar(&a.loginCmdPath, "login-cmd", "", "the path to `login` cmd") flags.BoolVar(&ia.isSFTP, "sftp", false, "run sftp server (cmd is ignored)")
flags.BoolVar(&a.debugTest, "debug-test", false, "should debug in test mode") flags.BoolVar(&ia.forceV1Behavior, "force-v1-behavior", false, "allow falling back to the su command if login is unavailable")
flags.BoolVar(&ia.debugTest, "debug-test", false, "should debug in test mode")
flags.Parse(args) flags.Parse(args)
a.cmdArgs = flags.Args()
return a for _, g := range strings.Split(groups, ",") {
gid, err := strconv.Atoi(g)
if err != nil {
return ia, fmt.Errorf("unable to parse group id %q: %w", g, err)
}
ia.gids = append(ia.gids, gid)
}
return ia, nil
} }
// beIncubator is the entrypoint to the `tailscaled be-child ssh` subcommand. // beIncubator is the entrypoint to the `tailscaled be-child ssh` subcommand.
// It is responsible for informing the system of a new login session for the user. // It is responsible for informing the system of a new login session for the
// This is sometimes necessary for mounting home directories and decrypting file // user. This is sometimes necessary for mounting home directories and
// systems. // decrypting file systems.
// //
// Tailscaled launches the incubator as the same user as it was // Tailscaled launches the incubator as the same user as it was launched as.
// launched as. The incubator then registers a new session with the
// OS, sets its UID and groups to the specified `--uid`, `--gid` and
// `--groups` and then launches the requested `--cmd`.
func beIncubator(args []string) error { func beIncubator(args []string) error {
// To defend against issues like https://golang.org/issue/1435, // To defend against issues like https://golang.org/issue/1435,
// defensively lock our current goroutine's thread to the current // defensively lock our current goroutine's thread to the current
@ -226,22 +232,25 @@ func beIncubator(args []string) error {
runtime.LockOSThread() runtime.LockOSThread()
defer runtime.UnlockOSThread() defer runtime.UnlockOSThread()
ia := parseIncubatorArgs(args) ia, err := parseIncubatorArgs(args)
if err != nil {
return err
}
if ia.isSFTP && ia.isShell { if ia.isSFTP && ia.isShell {
return fmt.Errorf("--sftp and --shell are mutually exclusive") return fmt.Errorf("--sftp and --shell are mutually exclusive")
} }
logf := logger.Discard dlogf := logger.Discard
if debugIncubator { if debugIncubator {
// We don't own stdout or stderr, so the only place we can log is syslog. // We don't own stdout or stderr, so the only place we can log is syslog.
if sl, err := syslog.New(syslog.LOG_INFO|syslog.LOG_DAEMON, "tailscaled-ssh"); err == nil { if sl, err := syslog.New(syslog.LOG_INFO|syslog.LOG_DAEMON, "tailscaled-ssh"); err == nil {
logf = log.New(sl, "", 0).Printf dlogf = log.New(sl, "", 0).Printf
} }
} else if ia.debugTest { } else if ia.debugTest {
// In testing, we don't always have syslog, log to a temp file // In testing, we don't always have syslog, so log to a temp file.
if logFile, err := os.OpenFile("/tmp/tailscalessh.log", os.O_APPEND|os.O_WRONLY, 0666); err == nil { if logFile, err := os.OpenFile("/tmp/tailscalessh.log", os.O_APPEND|os.O_WRONLY, 0666); err == nil {
lf := log.New(logFile, "", 0) lf := log.New(logFile, "", 0)
logf = func(msg string, args ...any) { dlogf = func(msg string, args ...any) {
lf.Printf(msg, args...) lf.Printf(msg, args...)
logFile.Sync() logFile.Sync()
} }
@ -249,41 +258,55 @@ func beIncubator(args []string) error {
} }
} }
euid := os.Geteuid() if !shouldAttemptLoginShell(dlogf, ia) {
runningAsRoot := euid == 0 dlogf("not attempting login shell")
if runningAsRoot && ia.loginCmdPath != "" { return handleInProcess(dlogf, ia)
// Check if we can exec into the login command instead of trying to
// incubate ourselves.
if la := ia.loginArgs(); la != nil {
return unix.Exec(ia.loginCmdPath, la, os.Environ())
}
} }
// Inform the system that we are about to log someone in. // First try the login command
// We can only do this if we are running as root. if err := tryExecLogin(dlogf, ia); err != nil {
// This is best effort to still allow running on machines where return err
// we don't support starting sessions, e.g. darwin. }
sessionCloser, err := maybeStartLoginSession(logf, ia)
if err == nil && sessionCloser != nil { // If we got here, we weren't able to use login (because tryExecLogin
// returned without replacing the running process), maybe we can use
// su.
if handled, err := trySU(dlogf, ia); handled {
return err
} else {
dlogf("not attempting su")
return handleInProcess(dlogf, ia)
}
}
func handleInProcess(dlogf logger.Logf, ia incubatorArgs) error {
if ia.isSFTP {
return handleSFTPInProcess(dlogf, ia)
}
return handleSSHInProcess(dlogf, ia)
}
func handleSFTPInProcess(dlogf logger.Logf, ia incubatorArgs) error {
dlogf("handling sftp")
sessionCloser := maybeStartLoginSession(dlogf, ia)
if sessionCloser != nil {
defer sessionCloser() defer sessionCloser()
} }
var groupIDs []int if err := dropPrivileges(dlogf, ia); err != nil {
for _, g := range strings.Split(ia.groups, ",") {
gid, err := strconv.ParseInt(g, 10, 32)
if err != nil {
return err
}
groupIDs = append(groupIDs, int(gid))
}
if err := dropPrivileges(logf, ia.uid, ia.gid, groupIDs); err != nil {
return err return err
} }
if ia.isSFTP { return serveSFTP()
logf("handling sftp") }
// beSFTP serves SFTP in-process.
func beSFTP(args []string) error {
return serveSFTP()
}
func serveSFTP() error {
server, err := sftp.NewServer(stdRWC{}) server, err := sftp.NewServer(stdRWC{})
if err != nil { if err != nil {
return err return err
@ -294,27 +317,174 @@ func beIncubator(args []string) error {
return err return err
} }
return nil return nil
}
// shouldAttemptLoginShell decides whether we should attempt to get a full
// login shell with the login or su commands. We will attempt a login shell
// if all of the following conditions are met.
//
// - We are running as root
// - This is not an SELinuxEnforcing host
//
// The last condition exists because if we're running on a SELinux-enabled
// system, neiher login nor su will be able to set the correct context for the
// shell. So, we don't bother trying to run them and instead fall back to using
// the incubator to launch the shell.
// See http://github.com/tailscale/tailscale/issues/4908.
func shouldAttemptLoginShell(dlogf logger.Logf, ia incubatorArgs) bool {
if ia.forceV1Behavior && ia.isSFTP {
// v1 behavior did not run SFTP within a login shell.
dlogf("Forcing v1 behavior, won't use login shell for SFTP")
return false
} }
cmd := exec.Command(ia.cmdName, ia.cmdArgs...) return runningAsRoot() && !hostinfo.IsSELinuxEnforcing()
cmd.Stdin = os.Stdin }
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
cmd.Env = os.Environ()
if ia.hasTTY { func runningAsRoot() bool {
// If we were launched with a tty then we should euid := os.Geteuid()
// mark that as the ctty of the child. However, return euid == 0
// as the ctty is being passed from the parent }
// we set the child to foreground instead which
// also passes the ctty. // tryExecLogin attempts to handle the ssh session by creating a full login
// However, we can not do this if never had a tty to // shell using the login command. If it never tried, it returns nil. If it
// begin with. // failed to do so, it returns an error.
cmd.SysProcAttr = &syscall.SysProcAttr{ //
Foreground: true, // Creating a login shell in this way allows us to register the remote IP of
// the login session, trigger PAM authentication, and get the "remote" PAM
// profile.
//
// However, login is subject to some limitations.
//
// 1. login cannot be used to execute commands except on macOS.
// 2. On Linux and BSD, login requires a TTY to keep running.
//
// In these cases, tryExecLogin returns (false, nil) to indicate that processing
// should fall through to other methods, such as using the su command.
//
// Note that this uses unix.Exec to replace the current process, so in cases
// where we actually do run login, no subsequent Go code will execute.
func tryExecLogin(dlogf logger.Logf, ia incubatorArgs) error {
// Only the macOS version of the login command supports executing a
// command, all other versions only support launching a shell without
// taking any arguments.
if !ia.isShell && runtime.GOOS != "darwin" {
dlogf("won't use login because we're not in a shell or on macOS")
return nil
}
switch runtime.GOOS {
case "linux", "freebsd", "openbsd":
if !ia.hasTTY {
dlogf("can't use login because of missing TTY")
// We can only use the login command if a shell was requested with
// a TTY. If there is no TTY, login exits immediately, which
// breaks things like mosh and VSCode.
return nil
} }
} }
err = cmd.Run()
loginCmdPath, err := exec.LookPath("login")
if err != nil {
dlogf("failed to get login args: %s", err)
return nil
}
loginArgs := ia.loginArgs(loginCmdPath)
dlogf("logging in with %s %+v", loginCmdPath, loginArgs)
// replace the running process
return unix.Exec(loginCmdPath, loginArgs, os.Environ())
}
// trySU attempts to start a login shell using su. If su is available and
// supports the necessary arguments, this returns true, plus the result of
// executing su. Otherwise, it returns (false, nil).
//
// Creating a login shell in this way allows us to trigger PAM authentication
// and get the "login" PAM profile.
//
// Unlike login, su often does not require a TTY, so on Linux hosts that have
// an su command which accepts the right flags, we'll use su instead of login
// when no TTY is available.
func trySU(dlogf logger.Logf, ia incubatorArgs) (handled bool, err error) {
if ia.forceV1Behavior {
// v1 behavior did not use su.
dlogf("Forcing v1 behavior, won't use su")
return false, nil
}
su := findSU(dlogf, ia)
if su == "" {
return false, nil
}
sessionCloser := maybeStartLoginSession(dlogf, ia)
if sessionCloser != nil {
defer sessionCloser()
}
loginArgs := []string{"-l", ia.localUser}
if ia.cmd != "" {
// Note - unlike the login command, su allows using both -l and -c.
loginArgs = append(loginArgs, "-c", ia.cmd)
}
dlogf("logging in with %s %q", su, loginArgs)
cmd := newCommand(ia.hasTTY, su, loginArgs)
return true, cmd.Run()
}
// findSU attempts to find an su command which supports the -l and -c flags.
// This actually calls the su command, which can cause side effects like
// triggering pam_mkhomedir. If a suitable su is not available, this returns
// "".
func findSU(dlogf logger.Logf, ia incubatorArgs) string {
// Currently, we only support falling back to su on Linux. This
// potentially could work on BSDs as well, but requires testing.
if runtime.GOOS != "linux" {
return ""
}
// gokrazy doesn't include su. And, if someone installs a breakglass/
// debugging package on gokrazy, we don't want to use its su.
if distro.Get() == distro.Gokrazy {
return ""
}
su, err := exec.LookPath("su")
if err != nil {
dlogf("can't find su command: %v", err)
return ""
}
// First try to execute su -l <user> -c true to make sure su supports the
// necessary arguments.
err = exec.Command(su, "-l", ia.localUser, "-c", "true").Run()
if err != nil {
dlogf("su check failed: %s", err)
return ""
}
return su
}
// handleSSHInProcess is a last resort if we couldn't use login or su. It
// registers a new session with the OS, sets its UID, GID and groups to the
// specified values, and then launches the requested `--cmd` in the user's
// login shell.
func handleSSHInProcess(dlogf logger.Logf, ia incubatorArgs) error {
sessionCloser := maybeStartLoginSession(dlogf, ia)
if sessionCloser != nil {
defer sessionCloser()
}
if err := dropPrivileges(dlogf, ia); err != nil {
return err
}
args := shellArgs(ia.isShell, ia.cmd)
dlogf("running %s %q", ia.loginShell, args)
cmd := newCommand(ia.hasTTY, ia.loginShell, args)
err := cmd.Run()
if ee, ok := err.(*exec.ExitError); ok { if ee, ok := err.(*exec.ExitError); ok {
ps := ee.ProcessState ps := ee.ProcessState
code := ps.ExitCode() code := ps.ExitCode()
@ -330,6 +500,26 @@ func beIncubator(args []string) error {
return err return err
} }
func newCommand(hasTTY bool, cmdPath string, cmdArgs []string) *exec.Cmd {
cmd := exec.Command(cmdPath, cmdArgs...)
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
cmd.Env = os.Environ()
if hasTTY {
// If we were launched with a tty then we should mark that as the ctty
// of the child. However, as the ctty is being passed from the parent
// we set the child to foreground instead which also passes the ctty.
// However, we can not do this if never had a tty to begin with.
cmd.SysProcAttr = &syscall.SysProcAttr{
Foreground: true,
}
}
return cmd
}
const ( const (
// This controls whether we assert that our privileges were dropped // This controls whether we assert that our privileges were dropped
// using geteuid/getegid; it's a const and not an envknob because the // using geteuid/getegid; it's a const and not an envknob because the
@ -344,19 +534,26 @@ func beIncubator(args []string) error {
assertPrivilegesWereDroppedByAttemptingToUnDrop = false assertPrivilegesWereDroppedByAttemptingToUnDrop = false
) )
// dropPrivileges contains all the logic for dropping privileges to a different // dropPrivileges calls doDropPrivileges with uid, gid, and gids from the given
// incubatorArgs.
func dropPrivileges(dlogf logger.Logf, ia incubatorArgs) error {
return doDropPrivileges(dlogf, ia.uid, ia.gid, ia.gids)
}
// doDropPrivileges contains all the logic for dropping privileges to a different
// UID, GID, and set of supplementary groups. This function is // UID, GID, and set of supplementary groups. This function is
// security-sensitive and ordering-dependent; please be very cautious if/when // security-sensitive and ordering-dependent; please be very cautious if/when
// refactoring. // refactoring.
// //
// WARNING: if you change this function, you *MUST* run the TestDropPrivileges // WARNING: if you change this function, you *MUST* run the TestDoDropPrivileges
// test in this package as root on at least Linux, FreeBSD and Darwin. This can // test in this package as root on at least Linux, FreeBSD and Darwin. This can
// be done by running: // be done by running:
// //
// go test -c ./ssh/tailssh/ && sudo ./tailssh.test -test.v -test.run TestDropPrivileges // go test -c ./ssh/tailssh/ && sudo ./tailssh.test -test.v -test.run TestDoDropPrivileges
func dropPrivileges(logf logger.Logf, wantUid, wantGid int, supplementaryGroups []int) error { func doDropPrivileges(dlogf logger.Logf, wantUid, wantGid int, supplementaryGroups []int) error {
dlogf("dropping privileges")
fatalf := func(format string, args ...any) { fatalf := func(format string, args ...any) {
logf("[unexpected] error dropping privileges: "+format, args...) dlogf("[unexpected] error dropping privileges: "+format, args...)
os.Exit(1) os.Exit(1)
} }
@ -448,7 +645,11 @@ func dropPrivileges(logf logger.Logf, wantUid, wantGid int, supplementaryGroups
// //
// It sets ss.cmd, stdin, stdout, and stderr. // It sets ss.cmd, stdin, stdout, and stderr.
func (ss *sshSession) launchProcess() error { func (ss *sshSession) launchProcess() error {
ss.cmd = ss.newIncubatorCommand() var err error
ss.cmd, err = ss.newIncubatorCommand(ss.logf)
if err != nil {
return err
}
cmd := ss.cmd cmd := ss.cmd
homeDir := ss.conn.localUser.HomeDir homeDir := ss.conn.localUser.HomeDir
@ -749,18 +950,11 @@ func fileExists(path string) bool {
} }
// loginArgs returns the arguments to use to exec the login binary. // loginArgs returns the arguments to use to exec the login binary.
// It returns nil if the login binary should not be used. func (ia *incubatorArgs) loginArgs(loginCmdPath string) []string {
// The login binary is only used:
// - on darwin, if the client is requesting a shell or a command.
// - on linux and BSD, if the client is requesting a shell with a TTY.
func (ia *incubatorArgs) loginArgs() []string {
if ia.isSFTP {
return nil
}
switch runtime.GOOS { switch runtime.GOOS {
case "darwin": case "darwin":
args := []string{ args := []string{
ia.loginCmdPath, loginCmdPath,
"-f", // already authenticated "-f", // already authenticated
// login typically discards the previous environment, but we want to // login typically discards the previous environment, but we want to
@ -773,39 +967,35 @@ func (ia *incubatorArgs) loginArgs() []string {
if !ia.hasTTY { if !ia.hasTTY {
args[2] = "-pq" // -q is "quiet" which suppresses the login banner args[2] = "-pq" // -q is "quiet" which suppresses the login banner
} }
if ia.cmdName != "" { if ia.cmd != "" {
args = append(args, ia.cmdName) args = append(args, ia.loginShell, "-c", ia.cmd)
args = append(args, ia.cmdArgs...)
} }
return args return args
case "linux": case "linux":
if !ia.isShell || !ia.hasTTY {
// We can only use login command if a shell was requested with a TTY. If
// there is no TTY, login exits immediately, which breaks things likes
// mosh and VSCode.
return nil
}
if distro.Get() == distro.Arch && !fileExists("/etc/pam.d/remote") { if distro.Get() == distro.Arch && !fileExists("/etc/pam.d/remote") {
// See https://github.com/tailscale/tailscale/issues/4924 // See https://github.com/tailscale/tailscale/issues/4924
// //
// Arch uses a different login binary that makes the -h flag set the PAM // Arch uses a different login binary that makes the -h flag set the PAM
// service to "remote". So if they don't have that configured, don't // service to "remote". So if they don't have that configured, don't
// pass -h. // pass -h.
return []string{ia.loginCmdPath, "-f", ia.localUser, "-p"} return []string{loginCmdPath, "-f", ia.localUser, "-p"}
} }
return []string{ia.loginCmdPath, "-f", ia.localUser, "-h", ia.remoteIP, "-p"} return []string{loginCmdPath, "-f", ia.localUser, "-h", ia.remoteIP, "-p"}
case "freebsd", "openbsd": case "freebsd", "openbsd":
if !ia.isShell || !ia.hasTTY { return []string{loginCmdPath, "-fp", "-h", ia.remoteIP, ia.localUser}
// We can only use login command if a shell was requested with a TTY. If
// there is no TTY, login exits immediately, which breaks things likes
// mosh and VSCode.
return nil
}
return []string{ia.loginCmdPath, "-fp", "-h", ia.remoteIP, ia.localUser}
} }
panic("unimplemented") panic("unimplemented")
} }
func shellArgs(isShell bool, cmd string) []string {
if isShell {
return []string{"-l"}
} else {
return []string{"-c", cmd}
}
}
func setGroups(groupIDs []int) error { func setGroups(groupIDs []int) error {
if runtime.GOOS == "darwin" && len(groupIDs) > 16 { if runtime.GOOS == "darwin" && len(groupIDs) > 16 {
// darwin returns "invalid argument" if more than 16 groups are passed to syscall.Setgroups // darwin returns "invalid argument" if more than 16 groups are passed to syscall.Setgroups

View File

@ -146,11 +146,11 @@ func releaseSession(sessionID string) error {
} }
// maybeStartLoginSessionLinux is the linux implementation of maybeStartLoginSession. // maybeStartLoginSessionLinux is the linux implementation of maybeStartLoginSession.
func maybeStartLoginSessionLinux(logf logger.Logf, ia incubatorArgs) (func() error, error) { func maybeStartLoginSessionLinux(dlogf logger.Logf, ia incubatorArgs) func() error {
if os.Geteuid() != 0 { if os.Geteuid() != 0 {
return nil, nil return nil
} }
logf("starting session for user %d", ia.uid) dlogf("starting session for user %d", ia.uid)
// The only way we can actually start a new session is if we are // The only way we can actually start a new session is if we are
// running outside one and are root, which is typically the case // running outside one and are root, which is typically the case
// for systemd managed tailscaled. // for systemd managed tailscaled.
@ -160,14 +160,14 @@ func maybeStartLoginSessionLinux(logf logger.Logf, ia incubatorArgs) (func() err
// We can look at the DBus GetSessionByPID API. // We can look at the DBus GetSessionByPID API.
// https://www.freedesktop.org/software/systemd/man/org.freedesktop.login1.html // https://www.freedesktop.org/software/systemd/man/org.freedesktop.login1.html
// For now best effort is fine. // For now best effort is fine.
logf("ssh: failed to CreateSession for user %q (%d) %v", ia.localUser, ia.uid, err) dlogf("ssh: failed to CreateSession for user %q (%d) %v", ia.localUser, ia.uid, err)
return nil, nil return nil
} }
os.Setenv("DBUS_SESSION_BUS_ADDRESS", fmt.Sprintf("unix:path=%v/bus", resp.runtimePath)) os.Setenv("DBUS_SESSION_BUS_ADDRESS", fmt.Sprintf("unix:path=%v/bus", resp.runtimePath))
if !resp.existing { if !resp.existing {
return func() error { return func() error {
return releaseSession(resp.sessionID) return releaseSession(resp.sessionID)
}, nil
} }
return nil, nil }
return nil
} }

View File

@ -23,7 +23,7 @@
"tailscale.com/types/logger" "tailscale.com/types/logger"
) )
func TestDropPrivileges(t *testing.T) { func TestDoDropPrivileges(t *testing.T) {
type SubprocInput struct { type SubprocInput struct {
UID int UID int
GID int GID int
@ -49,7 +49,7 @@ type SubprocOutput struct {
f := os.NewFile(3, "out.json") f := os.NewFile(3, "out.json")
// We're in our subprocess; actually drop privileges now. // We're in our subprocess; actually drop privileges now.
dropPrivileges(t.Logf, input.UID, input.GID, input.AdditionalGroups) doDropPrivileges(t.Logf, input.UID, input.GID, input.AdditionalGroups)
additional, _ := syscall.Getgroups() additional, _ := syscall.Getgroups()

View File

@ -8,6 +8,7 @@
import ( import (
"bufio" "bufio"
"context"
"crypto/ecdsa" "crypto/ecdsa"
"crypto/ed25519" "crypto/ed25519"
"crypto/elliptic" "crypto/elliptic"
@ -28,6 +29,7 @@
"testing" "testing"
"time" "time"
"github.com/bramvdbogaerde/go-scp"
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/pkg/sftp" "github.com/pkg/sftp"
gossh "github.com/tailscale/golang-x-crypto/ssh" gossh "github.com/tailscale/golang-x-crypto/ssh"
@ -36,6 +38,7 @@
"tailscale.com/tailcfg" "tailscale.com/tailcfg"
"tailscale.com/types/key" "tailscale.com/types/key"
"tailscale.com/types/netmap" "tailscale.com/types/netmap"
"tailscale.com/util/set"
) )
// This file contains integration tests of the SSH functionality. These tests // This file contains integration tests of the SSH functionality. These tests
@ -58,7 +61,7 @@ func TestMain(m *testing.M) {
file.Close() file.Close()
// Tail our log file. // Tail our log file.
cmd := exec.Command("tail", "-f", "/tmp/tailscalessh.log") cmd := exec.Command("tail", "-F", "/tmp/tailscalessh.log")
r, err := cmd.StdoutPipe() r, err := cmd.StdoutPipe()
if err != nil { if err != nil {
@ -77,6 +80,12 @@ func TestMain(m *testing.M) {
if err != nil { if err != nil {
return return
} }
defer func() {
// tail -f has a default sleep interval of 1 second, so it takes a
// moment for it to finish reading our log file after we've terminated.
// So, wait a bit to let it catch up.
time.Sleep(2 * time.Second)
}()
m.Run() m.Run()
} }
@ -95,18 +104,38 @@ func TestIntegrationSSH(t *testing.T) {
tests := []struct { tests := []struct {
cmd string cmd string
want []string want []string
forceV1Behavior bool
skip bool
}{ }{
{ {
cmd: "id", cmd: "id",
want: []string{"testuser", "groupone", "grouptwo"}, want: []string{"testuser", "groupone", "grouptwo"},
forceV1Behavior: false,
},
{
cmd: "id",
want: []string{"testuser", "groupone", "grouptwo"},
forceV1Behavior: true,
}, },
{ {
cmd: "pwd", cmd: "pwd",
want: []string{homeDir}, want: []string{homeDir},
skip: !fallbackToSUAvailable(),
forceV1Behavior: false,
},
{
cmd: "echo 'hello'",
want: []string{"hello"},
skip: !fallbackToSUAvailable(),
forceV1Behavior: false,
}, },
} }
for _, test := range tests { for _, test := range tests {
if test.skip {
continue
}
// run every test both without and with a shell // run every test both without and with a shell
for _, shell := range []bool{false, true} { for _, shell := range []bool{false, true} {
shellQualifier := "no_shell" shellQualifier := "no_shell"
@ -114,8 +143,13 @@ func TestIntegrationSSH(t *testing.T) {
shellQualifier = "shell" shellQualifier = "shell"
} }
t.Run(fmt.Sprintf("%s_%s", test.cmd, shellQualifier), func(t *testing.T) { versionQualifier := "v2"
s := testSession(t) if test.forceV1Behavior {
versionQualifier = "v1"
}
t.Run(fmt.Sprintf("%s_%s_%s", test.cmd, shellQualifier, versionQualifier), func(t *testing.T) {
s := testSession(t, test.forceV1Behavior)
if shell { if shell {
err := s.RequestPty("xterm", 40, 80, ssh.TerminalModes{ err := s.RequestPty("xterm", 40, 80, ssh.TerminalModes{
@ -124,11 +158,19 @@ func TestIntegrationSSH(t *testing.T) {
ssh.TTY_OP_OSPEED: 14400, ssh.TTY_OP_OSPEED: 14400,
}) })
if err != nil { if err != nil {
t.Fatalf("unable to request shell: %s", err) t.Fatalf("unable to request PTY: %s", err)
}
} }
got := s.run(t, test.cmd) err = s.Shell()
if err != nil {
t.Fatalf("unable to request shell: %s", err)
}
// Read the shell prompt
s.read()
}
got := s.run(t, test.cmd, shell)
for _, want := range test.want { for _, want := range test.want {
if !strings.Contains(got, want) { if !strings.Contains(got, want) {
t.Errorf("%q does not contain %q", got, want) t.Errorf("%q does not contain %q", got, want)
@ -145,10 +187,19 @@ func TestIntegrationSFTP(t *testing.T) {
debugTest.Store(false) debugTest.Store(false)
}) })
filePath := "/tmp/sftptest.dat" for _, forceV1Behavior := range []bool{false, true} {
name := "v2"
if forceV1Behavior {
name = "v1"
}
t.Run(name, func(t *testing.T) {
filePath := "/home/testuser/sftptest.dat"
if forceV1Behavior || !fallbackToSUAvailable() {
filePath = "/tmp/sftptest.dat"
}
wantText := "hello world" wantText := "hello world"
cl := testClient(t) cl := testClient(t, forceV1Behavior)
scl, err := sftp.NewClient(cl) scl, err := sftp.NewClient(cl)
if err != nil { if err != nil {
t.Fatalf("can't get sftp client: %s", err) t.Fatalf("can't get sftp client: %s", err)
@ -181,12 +232,88 @@ func TestIntegrationSFTP(t *testing.T) {
} }
s := testSessionFor(t, cl) s := testSessionFor(t, cl)
got := s.run(t, "ls -l "+filePath) got := s.run(t, "ls -l "+filePath, false)
if !strings.Contains(got, "testuser") { if !strings.Contains(got, "testuser") {
t.Fatalf("unexpected file owner user: %s", got) t.Fatalf("unexpected file owner user: %s", got)
} else if !strings.Contains(got, "testuser") { } else if !strings.Contains(got, "testuser") {
t.Fatalf("unexpected file owner group: %s", got) t.Fatalf("unexpected file owner group: %s", got)
} }
})
}
}
func TestIntegrationSCP(t *testing.T) {
debugTest.Store(true)
t.Cleanup(func() {
debugTest.Store(false)
})
for _, forceV1Behavior := range []bool{false, true} {
name := "v2"
if forceV1Behavior {
name = "v1"
}
t.Run(name, func(t *testing.T) {
filePath := "/home/testuser/scptest.dat"
if !fallbackToSUAvailable() {
filePath = "/tmp/scptest.dat"
}
wantText := "hello world"
cl := testClient(t, forceV1Behavior)
scl, err := scp.NewClientBySSH(cl)
if err != nil {
t.Fatalf("can't get sftp client: %s", err)
}
err = scl.Copy(context.Background(), strings.NewReader(wantText), filePath, "0644", int64(len(wantText)))
if err != nil {
t.Fatalf("can't create file: %s", err)
}
outfile, err := os.CreateTemp("", "")
if err != nil {
t.Fatalf("can't create temp file: %s", err)
}
err = scl.CopyFromRemote(context.Background(), outfile, filePath)
if err != nil {
t.Fatalf("can't copy file from remote: %s", err)
}
outfile.Close()
gotText, err := os.ReadFile(outfile.Name())
if err != nil {
t.Fatalf("can't read file: %s", err)
}
if diff := cmp.Diff(string(gotText), wantText); diff != "" {
t.Fatalf("unexpected file contents (-got +want):\n%s", diff)
}
s := testSessionFor(t, cl)
got := s.run(t, "ls -l "+filePath, false)
if !strings.Contains(got, "testuser") {
t.Fatalf("unexpected file owner user: %s", got)
} else if !strings.Contains(got, "testuser") {
t.Fatalf("unexpected file owner group: %s", got)
}
})
}
}
func fallbackToSUAvailable() bool {
if runtime.GOOS != "linux" {
return false
}
_, err := exec.LookPath("su")
if err != nil {
return false
}
// Some operating systems like Fedora seem to require login to be present
// in order for su to work.
_, err = exec.LookPath("login")
return err == nil
} }
type session struct { type session struct {
@ -197,14 +324,25 @@ type session struct {
stderr io.ReadCloser stderr io.ReadCloser
} }
func (s *session) run(t *testing.T, cmdString string) string { func (s *session) run(t *testing.T, cmdString string, shell bool) string {
t.Helper() t.Helper()
if shell {
_, err := s.stdin.Write([]byte(fmt.Sprintf("%s\n", cmdString)))
if err != nil {
t.Fatalf("unable to send command to shell: %s", err)
}
} else {
err := s.Start(cmdString) err := s.Start(cmdString)
if err != nil { if err != nil {
t.Fatalf("unable to start command: %s", err) t.Fatalf("unable to start command: %s", err)
} }
}
return s.read()
}
func (s *session) read() string {
ch := make(chan []byte) ch := make(chan []byte)
go func() { go func() {
for { for {
@ -228,7 +366,7 @@ func (s *session) run(t *testing.T, cmdString string) string {
select { select {
case b := <-ch: case b := <-ch:
_got = append(_got, b...) _got = append(_got, b...)
case <-time.After(25 * time.Millisecond): case <-time.After(1 * time.Second):
break readLoop break readLoop
} }
} }
@ -236,12 +374,12 @@ func (s *session) run(t *testing.T, cmdString string) string {
return string(_got) return string(_got)
} }
func testClient(t *testing.T) *ssh.Client { func testClient(t *testing.T, forceV1Behavior bool) *ssh.Client {
t.Helper() t.Helper()
username := "testuser" username := "testuser"
srv := &server{ srv := &server{
lb: &testBackend{localUser: username}, lb: &testBackend{localUser: username, forceV1Behavior: forceV1Behavior},
logf: log.Printf, logf: log.Printf,
tailscaledPath: os.Getenv("TAILSCALED_PATH"), tailscaledPath: os.Getenv("TAILSCALED_PATH"),
timeNow: time.Now, timeNow: time.Now,
@ -271,8 +409,8 @@ func testClient(t *testing.T) *ssh.Client {
return cl return cl
} }
func testSession(t *testing.T) *session { func testSession(t *testing.T, forceV1Behavior bool) *session {
cl := testClient(t) cl := testClient(t, forceV1Behavior)
return testSessionFor(t, cl) return testSessionFor(t, cl)
} }
@ -300,6 +438,7 @@ func testSessionFor(t *testing.T, cl *ssh.Client) *session {
// testBackend implements ipnLocalBackend // testBackend implements ipnLocalBackend
type testBackend struct { type testBackend struct {
localUser string localUser string
forceV1Behavior bool
} }
func (tb *testBackend) GetSSH_HostKeys() ([]gossh.Signer, error) { func (tb *testBackend) GetSSH_HostKeys() ([]gossh.Signer, error) {
@ -339,16 +478,21 @@ func (tb *testBackend) ShouldRunSSH() bool {
} }
func (tb *testBackend) NetMap() *netmap.NetworkMap { func (tb *testBackend) NetMap() *netmap.NetworkMap {
capMap := make(set.Set[tailcfg.NodeCapability])
if tb.forceV1Behavior {
capMap[tailcfg.NodeAttrSSHBehaviorV1] = struct{}{}
}
return &netmap.NetworkMap{ return &netmap.NetworkMap{
SSHPolicy: &tailcfg.SSHPolicy{ SSHPolicy: &tailcfg.SSHPolicy{
Rules: []*tailcfg.SSHRule{ Rules: []*tailcfg.SSHRule{
&tailcfg.SSHRule{ {
Principals: []*tailcfg.SSHPrincipal{{Any: true}}, Principals: []*tailcfg.SSHPrincipal{{Any: true}},
Action: &tailcfg.SSHAction{Accept: true}, Action: &tailcfg.SSHAction{Accept: true},
SSHUsers: map[string]string{"*": tb.localUser}, SSHUsers: map[string]string{"*": tb.localUser},
}, },
}, },
}, },
AllCaps: capMap,
} }
} }

View File

@ -1,18 +1,51 @@
ARG BASE ARG BASE
FROM ${BASE} FROM ${BASE}
RUN echo "Install openssh, needed for scp."
RUN apt-get update -y && apt-get install -y openssh-client
RUN groupadd -g 10000 groupone RUN groupadd -g 10000 groupone
RUN groupadd -g 10001 grouptwo RUN groupadd -g 10001 grouptwo
RUN useradd -g 10000 -G 10001 -u 10002 -m testuser # Note - we do not create the user's home directory, pam_mkhomedir will do that
COPY . . # for us, and we want to test that PAM gets triggered by Tailscale SSH.
RUN useradd -g 10000 -G 10001 -u 10002 testuser
# First run tests normally. RUN echo "Set up pam_mkhomedir."
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.run TestIntegration RUN sed -i -e 's/Default: no/Default: yes/g' /usr/share/pam-configs/mkhomedir || echo "might not be ubuntu"
RUN cat /usr/share/pam-configs/mkhomedir
RUN pam-auth-update --enable mkhomedir
# Then remove the login command and make sure tests still pass. COPY tailscaled .
RUN rm `which login` COPY tailssh.test .
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.run TestIntegration
# Then run tests as non-root user testuser. RUN chmod 755 tailscaled
RUN echo "First run tests normally."
RUN rm -Rf /home/testuser
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
RUN rm -Rf /home/testuser
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
RUN rm -Rf /home/testuser
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
RUN echo "Then run tests as non-root user testuser and make sure tests still pass."
RUN chown testuser:groupone /tmp/tailscalessh.log RUN chown testuser:groupone /tmp/tailscalessh.log
RUN TAILSCALED_PATH=`pwd`tailscaled su -m testuser -c "./tailssh.test -test.run TestIntegration" RUN TAILSCALED_PATH=`pwd`tailscaled su -m testuser -c "./tailssh.test -test.v -test.run TestIntegration TestDoDropPrivileges"
RUN echo "Then remove the login command and make sure tests still pass."
RUN chown root:root /tmp/tailscalessh.log
RUN rm `which login`
RUN rm -Rf /home/testuser
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
RUN rm -Rf /home/testuser
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
RUN rm -Rf /home/testuser
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
RUN echo "Then remove the su command and make sure tests still pass."
RUN chown root:root /tmp/tailscalessh.log
RUN rm `which su`
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegration
RUN echo "Test doDropPrivileges"
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestDoDropPrivileges

View File

@ -136,7 +136,8 @@
// - 93: 2024-05-06: added support for stateful firewalling. // - 93: 2024-05-06: added support for stateful firewalling.
// - 94: 2024-05-06: Client understands Node.IsJailed. // - 94: 2024-05-06: Client understands Node.IsJailed.
// - 95: 2024-05-06: Client uses NodeAttrUserDialUseRoutes to change DNS dialing behavior. // - 95: 2024-05-06: Client uses NodeAttrUserDialUseRoutes to change DNS dialing behavior.
const CurrentCapabilityVersion CapabilityVersion = 95 // - 96: 2024-05-29: Client understands NodeAttrSSHBehaviorV1
const CurrentCapabilityVersion CapabilityVersion = 96
type StableID string type StableID string
@ -2274,6 +2275,10 @@ type Oauth2Token struct {
// depending on the destination address and the configured routes. When present, it also makes // depending on the destination address and the configured routes. When present, it also makes
// the DNS forwarder use UserDial instead of SystemDial when dialing resolvers. // the DNS forwarder use UserDial instead of SystemDial when dialing resolvers.
NodeAttrUserDialUseRoutes NodeCapability = "user-dial-routes" NodeAttrUserDialUseRoutes NodeCapability = "user-dial-routes"
// NodeAttrSSHBehaviorV1 forces SSH to use the V1 behavior (no su, run SFTP in-process)
// Added 2024-05-29 in Tailscale version 1.68.
NodeAttrSSHBehaviorV1 NodeCapability = "ssh-behavior-v1"
) )
// SetDNSRequest is a request to add a DNS record. // SetDNSRequest is a request to add a DNS record.