mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-07 16:17:41 +00:00
ssh/tailssh: stream SSH recordings to configured recorders
Updates tailscale/corp#9967 Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
parent
60cd4ac08d
commit
916aa782af
@ -62,7 +62,6 @@ type ipnLocalBackend interface {
|
|||||||
NetMap() *netmap.NetworkMap
|
NetMap() *netmap.NetworkMap
|
||||||
WhoIs(ipp netip.AddrPort) (n *tailcfg.Node, u tailcfg.UserProfile, ok bool)
|
WhoIs(ipp netip.AddrPort) (n *tailcfg.Node, u tailcfg.UserProfile, ok bool)
|
||||||
DoNoiseRequest(req *http.Request) (*http.Response, error)
|
DoNoiseRequest(req *http.Request) (*http.Response, error)
|
||||||
TailscaleVarRoot() string
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type server struct {
|
type server struct {
|
||||||
@ -987,12 +986,6 @@ func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *user.User) err
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// recordSSH is a temporary dev knob to test the SSH recording
|
|
||||||
// functionality and support off-node streaming.
|
|
||||||
//
|
|
||||||
// TODO(bradfitz,maisem): move this to SSHPolicy.
|
|
||||||
var recordSSH = envknob.RegisterBool("TS_DEBUG_LOG_SSH")
|
|
||||||
|
|
||||||
// run is the entrypoint for a newly accepted SSH session.
|
// run is the entrypoint for a newly accepted SSH session.
|
||||||
//
|
//
|
||||||
// It handles ss once it's been accepted and determined
|
// It handles ss once it's been accepted and determined
|
||||||
@ -1127,10 +1120,9 @@ func (ss *sshSession) run() {
|
|||||||
|
|
||||||
func (ss *sshSession) shouldRecord() bool {
|
func (ss *sshSession) shouldRecord() bool {
|
||||||
// for now only record pty sessions
|
// for now only record pty sessions
|
||||||
// TODO(bradfitz,maisem): make configurable on SSHPolicy and
|
// TODO(bradfitz,maisem): support recording non-pty stuff too.
|
||||||
// support recording non-pty stuff too.
|
|
||||||
_, _, isPtyReq := ss.Pty()
|
_, _, isPtyReq := ss.Pty()
|
||||||
return recordSSH() && isPtyReq
|
return isPtyReq && len(ss.conn.finalAction.Recorders) > 0
|
||||||
}
|
}
|
||||||
|
|
||||||
type sshConnInfo struct {
|
type sshConnInfo struct {
|
||||||
@ -1313,10 +1305,15 @@ func randBytes(n int) []byte {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// startNewRecording starts a new SSH session recording.
|
// startNewRecording starts a new SSH session recording.
|
||||||
//
|
|
||||||
// It writes an asciinema file to
|
|
||||||
// $TAILSCALE_VAR_ROOT/ssh-sessions/ssh-session-<unixtime>-*.cast.
|
|
||||||
func (ss *sshSession) startNewRecording() (_ *recording, err error) {
|
func (ss *sshSession) startNewRecording() (_ *recording, err error) {
|
||||||
|
if len(ss.conn.finalAction.Recorders) == 0 {
|
||||||
|
return nil, errors.New("no recorders configured")
|
||||||
|
}
|
||||||
|
recorder := ss.conn.finalAction.Recorders[0]
|
||||||
|
if len(ss.conn.finalAction.Recorders) > 1 {
|
||||||
|
ss.logf("warning: multiple recorders configured, using first one: %v", recorder)
|
||||||
|
}
|
||||||
|
|
||||||
var w ssh.Window
|
var w ssh.Window
|
||||||
if ptyReq, _, isPtyReq := ss.Pty(); isPtyReq {
|
if ptyReq, _, isPtyReq := ss.Pty(); isPtyReq {
|
||||||
w = ptyReq.Window
|
w = ptyReq.Window
|
||||||
@ -1332,25 +1329,33 @@ func (ss *sshSession) startNewRecording() (_ *recording, err error) {
|
|||||||
ss: ss,
|
ss: ss,
|
||||||
start: now,
|
start: now,
|
||||||
}
|
}
|
||||||
varRoot := ss.conn.srv.lb.TailscaleVarRoot()
|
|
||||||
if varRoot == "" {
|
pr, pw := io.Pipe()
|
||||||
return nil, errors.New("no var root for recording storage")
|
req, err := http.NewRequestWithContext(ss.ctx, "POST", fmt.Sprintf("http://%s:%d/record", recorder.Addr(), recorder.Port()), pr)
|
||||||
}
|
if err != nil {
|
||||||
dir := filepath.Join(varRoot, "ssh-sessions")
|
pr.Close()
|
||||||
if err := os.MkdirAll(dir, 0700); err != nil {
|
pw.Close()
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
defer func() {
|
go func() {
|
||||||
|
defer pw.Close()
|
||||||
|
ss.logf("starting asciinema recording to %s", recorder)
|
||||||
|
|
||||||
|
// We just use the default client here, which has a 30s dial timeout.
|
||||||
|
resp, err := http.DefaultClient.Do(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
rec.Close()
|
ss.cancelCtx(err)
|
||||||
|
ss.logf("recording: error sending recording to %s: %v", recorder, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
defer ss.cancelCtx(errors.New("recording: done"))
|
||||||
|
if resp.StatusCode != http.StatusOK {
|
||||||
|
ss.logf("recording: error sending recording to %s: %v", recorder, resp.Status)
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
f, err := os.CreateTemp(dir, fmt.Sprintf("ssh-session-%v-*.cast", now.UnixNano()))
|
rec.out = pw
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
rec.out = f
|
|
||||||
|
|
||||||
// {"version": 2, "width": 221, "height": 84, "timestamp": 1647146075, "env": {"SHELL": "/bin/bash", "TERM": "screen"}}
|
// {"version": 2, "width": 221, "height": 84, "timestamp": 1647146075, "env": {"SHELL": "/bin/bash", "TERM": "screen"}}
|
||||||
type CastHeader struct {
|
type CastHeader struct {
|
||||||
@ -1359,6 +1364,12 @@ type CastHeader struct {
|
|||||||
Height int `json:"height"`
|
Height int `json:"height"`
|
||||||
Timestamp int64 `json:"timestamp"`
|
Timestamp int64 `json:"timestamp"`
|
||||||
Env map[string]string `json:"env"`
|
Env map[string]string `json:"env"`
|
||||||
|
|
||||||
|
// Tailscale-specific fields:
|
||||||
|
SrcNode string `json:"srcNode"` // name
|
||||||
|
SrcNodeID tailcfg.StableNodeID `json:"srcNodeID"`
|
||||||
|
SSHUser string `json:"sshUser"`
|
||||||
|
LocalUser string `json:"localUser"`
|
||||||
}
|
}
|
||||||
j, err := json.Marshal(CastHeader{
|
j, err := json.Marshal(CastHeader{
|
||||||
Version: 2,
|
Version: 2,
|
||||||
@ -1376,15 +1387,16 @@ type CastHeader struct {
|
|||||||
// it. Then we can (1) make the cmd, (2) start the
|
// it. Then we can (1) make the cmd, (2) start the
|
||||||
// recording, (3) start the process.
|
// recording, (3) start the process.
|
||||||
},
|
},
|
||||||
|
SSHUser: ss.conn.info.sshUser,
|
||||||
|
LocalUser: ss.conn.localUser.Username,
|
||||||
|
SrcNode: ss.conn.info.node.Name,
|
||||||
|
SrcNodeID: ss.conn.info.node.StableID,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
f.Close()
|
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
ss.logf("starting asciinema recording to %s", f.Name())
|
|
||||||
j = append(j, '\n')
|
j = append(j, '\n')
|
||||||
if _, err := f.Write(j); err != nil {
|
if _, err := pw.Write(j); err != nil {
|
||||||
f.Close()
|
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return rec, nil
|
return rec, nil
|
||||||
@ -1396,7 +1408,7 @@ type recording struct {
|
|||||||
start time.Time
|
start time.Time
|
||||||
|
|
||||||
mu sync.Mutex // guards writes to, close of out
|
mu sync.Mutex // guards writes to, close of out
|
||||||
out *os.File // nil if closed
|
out io.WriteCloser
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *recording) Close() error {
|
func (r *recording) Close() error {
|
||||||
@ -1415,10 +1427,17 @@ func (r *recording) Close() error {
|
|||||||
// The dir should be "i" for input or "o" for output.
|
// The dir should be "i" for input or "o" for output.
|
||||||
//
|
//
|
||||||
// If r is nil, it returns w unchanged.
|
// If r is nil, it returns w unchanged.
|
||||||
|
//
|
||||||
|
// Currently (2023-03-21) we only record output, not input.
|
||||||
func (r *recording) writer(dir string, w io.Writer) io.Writer {
|
func (r *recording) writer(dir string, w io.Writer) io.Writer {
|
||||||
if r == nil {
|
if r == nil {
|
||||||
return w
|
return w
|
||||||
}
|
}
|
||||||
|
if dir == "i" {
|
||||||
|
// TODO: record input? Maybe not, since it might contain
|
||||||
|
// passwords.
|
||||||
|
return w
|
||||||
|
}
|
||||||
return &loggingWriter{r, dir, w}
|
return &loggingWriter{r, dir, w}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user