ssh/tailssh: add envknobs to force override forwarding, sftp, pty

Updates tailscale/corp#15735 Change-Id: Ib1303406be925c3231ce7e0950a173ad12626492 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-11-29 04:55:31 +00:00 · 2023-11-09 13:14:00 -08:00 · 2023-11-09 13:14:00 -08:00 · 53c4adc982
commit 53c4adc982
parent ffabe5fe21
2 changed files with 27 additions and 1 deletions
--- a/ssh/tailssh/incubator.go
+++ b/ssh/tailssh/incubator.go
@ -465,6 +465,12 @@ func (ss *sshSession) launchProcess() error {
 		ss.logf("starting non-pty command: %+v", cmd.Args)
 		return ss.startWithStdPipes()
 	}
+
+	if sshDisablePTY() {
+		ss.logf("pty support disabled by envknob")
+		return errors.New("pty support disabled by envknob")
+	}
+
 	ss.ptyReq = &ptyReq
 	pty, tty, err := ss.startWithPTY()
 	if err != nil {
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@ -49,7 +49,10 @@
 )

 var (
-	sshVerboseLogging = envknob.RegisterBool("TS_DEBUG_SSH_VLOG")
+	sshVerboseLogging    = envknob.RegisterBool("TS_DEBUG_SSH_VLOG")
+	sshDisableSFTP       = envknob.RegisterBool("TS_SSH_DISABLE_SFTP")
+	sshDisableForwarding = envknob.RegisterBool("TS_SSH_DISABLE_FORWARDING")
+	sshDisablePTY        = envknob.RegisterBool("TS_SSH_DISABLE_PTY")
 )

 const (
@ -473,6 +476,9 @@ func (srv *server) newConn() (*conn, error) {
 // to the specified host and port.
 // TODO(bradfitz/maisem): should we have more checks on host/port?
 func (c *conn) mayReversePortForwardTo(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
+	if sshDisableForwarding() {
+		return false
+	}
 	if c.finalAction != nil && c.finalAction.AllowRemotePortForwarding {
 		metricRemotePortForward.Add(1)
 		return true
@ -484,6 +490,9 @@ func (c *conn) mayReversePortForwardTo(ctx ssh.Context, destinationHost string,
 // to the specified host and port.
 // TODO(bradfitz/maisem): should we have more checks on host/port?
 func (c *conn) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
+	if sshDisableForwarding() {
+		return false
+	}
 	if c.finalAction != nil && c.finalAction.AllowLocalPortForwarding {
 		metricLocalPortForward.Add(1)
 		return true
@ -713,6 +722,11 @@ func (c *conn) handleSessionPostSSHAuth(s ssh.Session) {
 	// Do this check after auth, but before starting the session.
 	switch s.Subsystem() {
 	case "sftp":
+		if sshDisableSFTP() {
+			fmt.Fprintf(s.Stderr(), "sftp disabled\r\n")
+			s.Exit(1)
+			return
+		}
 		metricSFTP.Add(1)
 	case "":
 		// Regular SSH session.
@ -988,6 +1002,12 @@ func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *userMeta) erro
 	if !ssh.AgentRequested(ss) || !ss.conn.finalAction.AllowAgentForwarding {
 		return nil
 	}
+	if sshDisableForwarding() {
+		// TODO(bradfitz): or do we want to return an error here instead so the user
+		// gets an error if they ran with ssh -A? But for now we just silently
+		// don't work, like the condition above.
+		return nil
+	}
 	ss.logf("ssh: agent forwarding requested")
 	ln, err := ssh.NewAgentListener()
 	if err != nil {