ssh/tailssh: try out new AuthBanner API

Uses https://go-review.googlesource.com/c/crypto/+/613856 DO NOT MERGE Change-Id: I0083fe34015e2ba39374ee58deae68c112b24750 Signed-off-by: Percy Wegmann <percy@tailscale.com>
2025-12-26 20:38:40 +00:00 · 2024-11-01 08:48:09 -05:00
parent 49de23cf1b
commit 487470ea47
26 changed files with 176 additions and 124 deletions
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -30,7 +30,7 @@ import (
 	"syscall"
 	"time"

-	gossh "github.com/tailscale/golang-x-crypto/ssh"
+	gossh "golang.org/x/crypto/ssh"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/logtail/backoff"
@@ -45,7 +45,6 @@ import (
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/httpm"
 	"tailscale.com/util/mak"
-	"tailscale.com/util/slicesx"
 )

 var (
@@ -295,7 +294,7 @@ var errDenied = errors.New("ssh: access denied")

 // errPubKeyRequired is returned by NoClientAuthCallback to make the client
 // resort to public-key auth; not user visible.
-var errPubKeyRequired = errors.New("ssh publickey required")
+// var errPubKeyRequired = errors.New("ssh publickey required")

 // NoClientAuthCallback implements gossh.NoClientAuthCallback and is called by
 // the ssh.Server when the client first connects with the "none"
@@ -323,24 +322,27 @@ func (c *conn) NoClientAuthCallback(ctx ssh.Context) error {
 	// "none" auth.
 	if strings.HasSuffix(ctx.User(), forcePasswordSuffix) {
 		c.anyPasswordIsOkay = true
-		return errors.New("any password please") // not shown to users
+		return &ssh.PartialSuccessError{
+			Context:         ctx,
+			PasswordHandler: c.fakePasswordHandler,
+		}
 	}
 	return nil
 }

-func (c *conn) nextAuthMethodCallback(cm gossh.ConnMetadata, prevErrors []error) (nextMethod []string) {
-	switch {
-	case c.anyPasswordIsOkay:
-		nextMethod = append(nextMethod, "password")
-	case slicesx.LastEqual(prevErrors, errPubKeyRequired):
-		nextMethod = append(nextMethod, "publickey")
-	}
+// func (c *conn) nextAuthMethodCallback(cm gossh.ConnMetadata, prevErrors []error) (nextMethod []string) {
+// 	switch {
+// 	case c.anyPasswordIsOkay:
+// 		nextMethod = append(nextMethod, "password")
+// 	case slicesx.LastEqual(prevErrors, errPubKeyRequired):
+// 		nextMethod = append(nextMethod, "publickey")
+// 	}

-	// The fake "tailscale" method is always appended to next so OpenSSH renders
-	// that in parens as the final failure. (It also shows up in "ssh -v", etc)
-	nextMethod = append(nextMethod, "tailscale")
-	return
-}
+// 	// The fake "tailscale" method is always appended to next so OpenSSH renders
+// 	// that in parens as the final failure. (It also shows up in "ssh -v", etc)
+// 	nextMethod = append(nextMethod, "tailscale")
+// 	return
+// }

 // fakePasswordHandler is our implementation of the PasswordHandler hook that
 // checks whether the user's password is correct. But we don't actually use
@@ -381,7 +383,10 @@ func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error {
 	a, localUser, acceptEnv, err := c.evaluatePolicy(pubKey)
 	if err != nil {
 		if pubKey == nil && c.havePubKeyPolicy() {
-			return errPubKeyRequired
+			return &ssh.PartialSuccessError{
+				Context:          ctx,
+				PublicKeyHandler: c.PublicKeyHandler,
+			}
 		}
 		return fmt.Errorf("%w: %v", errDenied, err)
 	}
@@ -424,8 +429,7 @@ func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error {
 // ServerConfig implements ssh.ServerConfigCallback.
 func (c *conn) ServerConfig(ctx ssh.Context) *gossh.ServerConfig {
 	return &gossh.ServerConfig{
-		NoClientAuth:           true, // required for the NoClientAuthCallback to run
-		NextAuthMethodCallback: c.nextAuthMethodCallback,
+		NoClientAuth: true, // required for the NoClientAuthCallback to run
 	}
 }

@@ -449,7 +453,7 @@ func (srv *server) newConn() (*conn, error) {

 		NoClientAuthHandler: c.NoClientAuthCallback,
 		PublicKeyHandler:    c.PublicKeyHandler,
-		PasswordHandler:     c.fakePasswordHandler,
+		// PasswordHandler:     c.fakePasswordHandler,

 		Handler:                       c.handleSessionPostSSHAuth,
 		LocalPortForwardingCallback:   c.mayForwardLocalPortTo,
--- a/ssh/tailssh/tailssh_integration_test.go
+++ b/ssh/tailssh/tailssh_integration_test.go
@@ -32,8 +32,8 @@ import (
 	"github.com/bramvdbogaerde/go-scp"
 	"github.com/google/go-cmp/cmp"
 	"github.com/pkg/sftp"
-	gossh "github.com/tailscale/golang-x-crypto/ssh"
 	"golang.org/x/crypto/ssh"
+	gossh "golang.org/x/crypto/ssh"
 	"golang.org/x/crypto/ssh/agent"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
--- a/ssh/tailssh/tailssh_test.go
+++ b/ssh/tailssh/tailssh_test.go
@@ -32,7 +32,7 @@ import (
 	"testing"
 	"time"

-	gossh "github.com/tailscale/golang-x-crypto/ssh"
+	gossh "golang.org/x/crypto/ssh"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/net/memnet"