ipn/ipnlocal: reject tailscale up --ssh if disabled on tailnet

Updates #3802

Change-Id: I3f1e839391fe9b28270f506f4bb8d8e3d36716f5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick 2022-04-20 11:22:54 -07:00 committed by Brad Fitzpatrick
parent 0ce67ccda6
commit 8b81254992
3 changed files with 12 additions and 2 deletions

View File

@ -149,3 +149,9 @@ func UseWIPCode() bool { return Bool("TAILSCALE_USE_WIP_CODE") }
// if already enabled and any attempt to re-enable it will result in // if already enabled and any attempt to re-enable it will result in
// an error. // an error.
func CanSSHD() bool { return !Bool("TS_DISABLE_SSH_SERVER") } func CanSSHD() bool { return !Bool("TS_DISABLE_SSH_SERVER") }
// SSHPolicyFile returns the path, if any, to the SSHPolicy JSON file for development.
func SSHPolicyFile() string { return String("TS_DEBUG_SSH_POLICY_FILE") }
// SSHIgnoreTailnetPolicy is whether to ignore the Tailnet SSH policy for development.
func SSHIgnoreTailnetPolicy() bool { return Bool("TS_DEBUG_SSH_IGNORE_TAILNET_POLICY") }

View File

@ -1808,6 +1808,10 @@ func (b *LocalBackend) checkPrefsLocked(p *ipn.Prefs) error {
if !canSSH { if !canSSH {
return errors.New("The Tailscale SSH server has been administratively disabled.") return errors.New("The Tailscale SSH server has been administratively disabled.")
} }
if b.netMap != nil && b.netMap.SSHPolicy == nil &&
envknob.SSHPolicyFile() == "" && !envknob.SSHIgnoreTailnetPolicy() {
return errors.New("Unable to enable local Tailscale SSH server; not enabled/configured on Tailnet.")
}
} }
return nil return nil
} }

View File

@ -43,8 +43,8 @@
) )
var ( var (
debugPolicyFile = envknob.String("TS_DEBUG_SSH_POLICY_FILE") debugPolicyFile = envknob.SSHPolicyFile()
debugIgnoreTailnetSSHPolicy = envknob.Bool("TS_DEBUG_SSH_IGNORE_TAILNET_POLICY") debugIgnoreTailnetSSHPolicy = envknob.SSHIgnoreTailnetPolicy()
sshVerboseLogging = envknob.Bool("TS_DEBUG_SSH_VLOG") sshVerboseLogging = envknob.Bool("TS_DEBUG_SSH_VLOG")
) )