mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-05 23:07:44 +00:00
ssh/tailssh: support LDAP users for Tailscale SSH
Fixes #4945 Change-Id: Ie013cb47684cb87928a44f92c66352310bfe53f1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
parent
e8b06b2232
commit
58ab66ec51
@ -688,18 +688,14 @@ func (ss *sshSession) startWithStdPipes() (err error) {
|
||||
return nil
|
||||
}
|
||||
|
||||
func loginShell(u *user.User) string {
|
||||
func loginShell(u *userMeta) string {
|
||||
if u.LoginShell != "" {
|
||||
// This field should be populated on Linux, at least, because
|
||||
// func userLookup on Linux uses "getent" to look up the user
|
||||
// and that populates it.
|
||||
return u.LoginShell
|
||||
}
|
||||
switch runtime.GOOS {
|
||||
case "linux":
|
||||
if distro.Get() == distro.Gokrazy {
|
||||
return "/tmp/serial-busybox/ash"
|
||||
}
|
||||
out, _ := exec.Command("getent", "passwd", u.Uid).Output()
|
||||
// out is "root:x:0:0:root:/root:/bin/bash"
|
||||
f := strings.SplitN(string(out), ":", 10)
|
||||
if len(f) > 6 {
|
||||
return strings.TrimSpace(f[6]) // shell
|
||||
}
|
||||
case "darwin":
|
||||
// Note: /Users/username is key, and not the same as u.HomeDir.
|
||||
out, _ := exec.Command("dscl", ".", "-read", filepath.Join("/Users", u.Username), "UserShell").Output()
|
||||
@ -715,12 +711,12 @@ func loginShell(u *user.User) string {
|
||||
return "/bin/sh"
|
||||
}
|
||||
|
||||
func envForUser(u *user.User) []string {
|
||||
func envForUser(u *userMeta) []string {
|
||||
return []string{
|
||||
fmt.Sprintf("SHELL=" + loginShell(u)),
|
||||
fmt.Sprintf("USER=" + u.Username),
|
||||
fmt.Sprintf("HOME=" + u.HomeDir),
|
||||
fmt.Sprintf("PATH=" + defaultPathForUser(u)),
|
||||
fmt.Sprintf("PATH=" + defaultPathForUser(&u.User)),
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -22,7 +22,6 @@
|
||||
"net/url"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"path/filepath"
|
||||
"runtime"
|
||||
"strconv"
|
||||
@ -45,7 +44,6 @@
|
||||
"tailscale.com/util/clientmetric"
|
||||
"tailscale.com/util/mak"
|
||||
"tailscale.com/util/multierr"
|
||||
"tailscale.com/version/distro"
|
||||
)
|
||||
|
||||
var (
|
||||
@ -222,7 +220,7 @@ type conn struct {
|
||||
finalActionErr error // set by doPolicyAuth or resolveNextAction
|
||||
|
||||
info *sshConnInfo // set by setInfo
|
||||
localUser *user.User // set by doPolicyAuth
|
||||
localUser *userMeta // set by doPolicyAuth
|
||||
userGroupIDs []string // set by doPolicyAuth
|
||||
pubKey gossh.PublicKey // set by doPolicyAuth
|
||||
|
||||
@ -379,16 +377,7 @@ func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error {
|
||||
if a.Accept {
|
||||
c.finalAction = a
|
||||
}
|
||||
if runtime.GOOS == "linux" && distro.Get() == distro.Gokrazy {
|
||||
// Gokrazy is a single-user appliance with ~no userspace.
|
||||
// There aren't users to look up (no /etc/passwd, etc)
|
||||
// so rather than fail below, just hardcode root.
|
||||
// TODO(bradfitz): fix os/user upstream instead?
|
||||
c.userGroupIDs = []string{"0"}
|
||||
c.localUser = &user.User{Uid: "0", Gid: "0", Username: "root"}
|
||||
return nil
|
||||
}
|
||||
lu, err := user.Lookup(localUser)
|
||||
lu, err := userLookup(localUser)
|
||||
if err != nil {
|
||||
c.logf("failed to look up %v: %v", localUser, err)
|
||||
ctx.SendAuthBanner(fmt.Sprintf("failed to look up %v\r\n", localUser))
|
||||
@ -970,7 +959,7 @@ func (c *conn) detachSession(ss *sshSession) {
|
||||
// handleSSHAgentForwarding starts a Unix socket listener and in the background
|
||||
// forwards agent connections between the listener and the ssh.Session.
|
||||
// On success, it assigns ss.agentListener.
|
||||
func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *user.User) error {
|
||||
func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *userMeta) error {
|
||||
if !ssh.AgentRequested(ss) || !ss.conn.finalAction.AllowAgentForwarding {
|
||||
return nil
|
||||
}
|
||||
|
@ -851,7 +851,11 @@ func TestSSH(t *testing.T) {
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
sc.localUser = u
|
||||
um, err := userLookup(u.Uid)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
sc.localUser = um
|
||||
sc.info = &sshConnInfo{
|
||||
sshUser: "test",
|
||||
src: netip.MustParseAddrPort("1.2.3.4:32342"),
|
||||
@ -1135,3 +1139,10 @@ func TestPathFromPAMEnvLineOnNixOS(t *testing.T) {
|
||||
}
|
||||
t.Logf("success; got=%q", got)
|
||||
}
|
||||
|
||||
func TestStdOsUserUserAssumptions(t *testing.T) {
|
||||
v := reflect.TypeOf(user.User{})
|
||||
if got, want := v.NumField(), 5; got != want {
|
||||
t.Errorf("os/user.User has %v fields; this package assumes %v", got, want)
|
||||
}
|
||||
}
|
||||
|
116
ssh/tailssh/user.go
Normal file
116
ssh/tailssh/user.go
Normal file
@ -0,0 +1,116 @@
|
||||
// Copyright (c) Tailscale Inc & AUTHORS
|
||||
// SPDX-License-Identifier: BSD-3-Clause
|
||||
|
||||
//go:build linux || (darwin && !ios) || freebsd || openbsd
|
||||
|
||||
package tailssh
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"log"
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"runtime"
|
||||
"strings"
|
||||
"time"
|
||||
"unicode/utf8"
|
||||
|
||||
"tailscale.com/version/distro"
|
||||
)
|
||||
|
||||
// userMeta is a wrapper around *user.User with extra fields.
|
||||
type userMeta struct {
|
||||
user.User
|
||||
|
||||
// LoginShell is the user's login shell.
|
||||
LoginShell string
|
||||
}
|
||||
|
||||
// GroupIds returns the list of group IDs that the user is a member of.
|
||||
func (u *userMeta) GroupIds() ([]string, error) {
|
||||
if runtime.GOOS == "linux" && distro.Get() == distro.Gokrazy {
|
||||
// Gokrazy is a single-user appliance with ~no userspace.
|
||||
// There aren't users to look up (no /etc/passwd, etc)
|
||||
// so rather than fail below, just hardcode root.
|
||||
// TODO(bradfitz): fix os/user upstream instead?
|
||||
return []string{"0"}, nil
|
||||
}
|
||||
return u.User.GroupIds()
|
||||
}
|
||||
|
||||
// userLookup is like os/user.LookupId but it returns a *userMeta wrapper
|
||||
// around a *user.User with extra fields.
|
||||
func userLookup(uid string) (*userMeta, error) {
|
||||
if runtime.GOOS != "linux" {
|
||||
return userLookupStd(uid)
|
||||
}
|
||||
|
||||
// No getent on Gokrazy. So hard-code the login shell.
|
||||
if distro.Get() == distro.Gokrazy {
|
||||
um, err := userLookupStd(uid)
|
||||
if err == nil {
|
||||
um.LoginShell = "/tmp/serial-busybox/ash"
|
||||
}
|
||||
return um, err
|
||||
}
|
||||
|
||||
// On Linux, default to using "getent" to look up users so that
|
||||
// even with static tailscaled binaries without cgo (as we distribute),
|
||||
// we can still look up PAM/NSS users which the standard library's
|
||||
// os/user without cgo won't get (because of no libc hooks).
|
||||
// But if "getent" fails, userLookupGetent falls back to the standard
|
||||
// library anyway.
|
||||
return userLookupGetent(uid)
|
||||
}
|
||||
|
||||
func validUsername(uid string) bool {
|
||||
if len(uid) > 32 || len(uid) == 0 {
|
||||
return false
|
||||
}
|
||||
for _, r := range uid {
|
||||
if r < ' ' || r == 0x7f || r == utf8.RuneError { // TODO(bradfitz): more?
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func userLookupGetent(uid string) (*userMeta, error) {
|
||||
// Do some basic validation before passing this string to "getent", even though
|
||||
// getent should do its own validation.
|
||||
if !validUsername(uid) {
|
||||
return nil, errors.New("invalid username")
|
||||
}
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
||||
defer cancel()
|
||||
out, err := exec.CommandContext(ctx, "getent", "passwd", uid).Output()
|
||||
if err != nil {
|
||||
log.Printf("error calling getent for user %q: %v", uid, err)
|
||||
return userLookupStd(uid)
|
||||
}
|
||||
// output is "alice:x:1001:1001:Alice Smith,,,:/home/alice:/bin/bash"
|
||||
f := strings.SplitN(strings.TrimSpace(string(out)), ":", 10)
|
||||
for len(f) < 7 {
|
||||
f = append(f, "")
|
||||
}
|
||||
um := &userMeta{
|
||||
User: user.User{
|
||||
Username: f[0],
|
||||
Uid: f[2],
|
||||
Gid: f[3],
|
||||
Name: f[4],
|
||||
HomeDir: f[5],
|
||||
},
|
||||
LoginShell: f[6],
|
||||
}
|
||||
return um, nil
|
||||
}
|
||||
|
||||
func userLookupStd(uid string) (*userMeta, error) {
|
||||
u, err := user.LookupId(uid)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &userMeta{User: *u}, nil
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user