TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-02-16 18:08:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

tailcfg: add field to allow LocalPortForwarding in SSHAction

Browse Source 
Updates #3802, #4129

Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali 2022-03-14 13:23:17 -07:00 committed by Maisem Ali
parent 98b45ef12c
commit 45a7f6689c
2 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
ssh/tailssh/tailssh.go
View File

@ -71,7 +71,7 @@ func (srv *server) newSSHServer() (*ssh.Server, error) {
"direct-tcpip": ssh.DirectTCPIPHandler,
},
Version: "SSH-2.0-Tailscale",
LocalPortForwardingCallback: srv.portForward,
LocalPortForwardingCallback: srv.mayForwardLocalPortTo,
}
for k, v := range ssh.DefaultRequestHandlers {
ss.RequestHandlers[k] = v
@ -105,11 +105,15 @@ type server struct {
var debugPolicyFile = envknob.String("TS_DEBUG_SSH_POLICY_FILE")
// portForward reports whether the ctx should be allowed to port forward
// mayForwardLocalPortTo reports whether the ctx should be allowed to port forward
// to the specified host and port.
// TODO(bradfitz/maisem): should we have more checks on host/port?
func (srv *server) portForward(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
return srv.isActiveSession(ctx)
func (srv *server) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
ss, ok := srv.getSessionForContext(ctx)
if !ok {
return false
}
return ss.action.AllowLocalPortForwarding
}
// sshPolicy returns the SSHPolicy for current node.
@ -343,13 +347,12 @@ func (ss *sshSession) killProcessOnContextDone() {
})
}
// isActiveSession reports whether the ssh.Context corresponds
// to an active session.
func (srv *server) isActiveSession(sctx ssh.Context) bool {
// sessionAction returns the SSHAction associated with the session.
func (srv *server) getSessionForContext(sctx ssh.Context) (ss *sshSession, ok bool) {
srv.mu.Lock()
defer srv.mu.Unlock()
_, ok := srv.activeSessionByH[sctx.SessionID()]
return ok
ss, ok = srv.activeSessionByH[sctx.SessionID()]
return
}
// startSession registers ss as an active session.

4
tailcfg/tailcfg.go
View File

@ -1628,6 +1628,10 @@ type SSHAction struct {
// response, it should be re-fetched as long as the SSH
// session is open.
HoldAndDelegate string `json:"holdAndDelegate,omitempty"`
// AllowLocalPortForwarding, if true, allows accepted connections
// to use local port forwarding if requested.
AllowLocalPortForwarding bool `json:"allowLocalPortForwarding,omitempty"`
}
// OverTLSPublicKeyResponse is the JSON response to /key?v=<n>