ssh/tailssh: add envknobs to force override forwarding, sftp, pty

Updates tailscale/corp#15735 Change-Id: Ib1303406be925c3231ce7e0950a173ad12626492 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-02-27 10:47:35 +00:00 · 2023-11-09 13:14:00 -08:00 · 2023-11-09 13:14:00 -08:00 · 53c4adc982
commit 53c4adc982
parent ffabe5fe21
2 changed files with 27 additions and 1 deletions
--- a/ssh/tailssh/incubator.go
+++ b/ssh/tailssh/incubator.go
@ -465,6 +465,12 @@ func (ss *sshSession) launchProcess() error {
 		ss.logf("starting non-pty command: %+v", cmd.Args)
 		return ss.startWithStdPipes()
 	}
 	if sshDisablePTY() {
 		ss.logf("pty support disabled by envknob")
 		return errors.New("pty support disabled by envknob")
 	}
 	ss.ptyReq = &ptyReq
 	pty, tty, err := ss.startWithPTY()
 	if err != nil {
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@ -50,6 +50,9 @@ import (
 var (
 	sshVerboseLogging    = envknob.RegisterBool("TS_DEBUG_SSH_VLOG")
 	sshDisableSFTP       = envknob.RegisterBool("TS_SSH_DISABLE_SFTP")
 	sshDisableForwarding = envknob.RegisterBool("TS_SSH_DISABLE_FORWARDING")
 	sshDisablePTY        = envknob.RegisterBool("TS_SSH_DISABLE_PTY")
 )
 const (
@ -473,6 +476,9 @@ func (srv *server) newConn() (*conn, error) {
 // to the specified host and port.
 // TODO(bradfitz/maisem): should we have more checks on host/port?
 func (c *conn) mayReversePortForwardTo(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
 	if sshDisableForwarding() {
 		return false
 	}
 	if c.finalAction != nil && c.finalAction.AllowRemotePortForwarding {
 		metricRemotePortForward.Add(1)
 		return true
@ -484,6 +490,9 @@ func (c *conn) mayReversePortForwardTo(ctx ssh.Context, destinationHost string,
 // to the specified host and port.
 // TODO(bradfitz/maisem): should we have more checks on host/port?
 func (c *conn) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
 	if sshDisableForwarding() {
 		return false
 	}
 	if c.finalAction != nil && c.finalAction.AllowLocalPortForwarding {
 		metricLocalPortForward.Add(1)
 		return true
@ -713,6 +722,11 @@ func (c *conn) handleSessionPostSSHAuth(s ssh.Session) {
 	// Do this check after auth, but before starting the session.
 	switch s.Subsystem() {
 	case "sftp":
 		if sshDisableSFTP() {
 			fmt.Fprintf(s.Stderr(), "sftp disabled\r\n")
 			s.Exit(1)
 			return
 		}
 		metricSFTP.Add(1)
 	case "":
 		// Regular SSH session.
@ -988,6 +1002,12 @@ func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *userMeta) erro
 	if !ssh.AgentRequested(ss) || !ss.conn.finalAction.AllowAgentForwarding {
 		return nil
 	}
 	if sshDisableForwarding() {
 		// TODO(bradfitz): or do we want to return an error here instead so the user
 		// gets an error if they ran with ssh -A? But for now we just silently
 		// don't work, like the condition above.
 		return nil
 	}
 	ss.logf("ssh: agent forwarding requested")
 	ln, err := ssh.NewAgentListener()
 	if err != nil {