ssh/tailssh: stream SSH recordings to configured recorders

Updates tailscale/corp#9967

Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali 2023-03-21 14:05:16 -07:00 committed by Maisem Ali
parent 60cd4ac08d
commit 916aa782af

View File

@ -62,7 +62,6 @@ type ipnLocalBackend interface {
NetMap() *netmap.NetworkMap NetMap() *netmap.NetworkMap
WhoIs(ipp netip.AddrPort) (n *tailcfg.Node, u tailcfg.UserProfile, ok bool) WhoIs(ipp netip.AddrPort) (n *tailcfg.Node, u tailcfg.UserProfile, ok bool)
DoNoiseRequest(req *http.Request) (*http.Response, error) DoNoiseRequest(req *http.Request) (*http.Response, error)
TailscaleVarRoot() string
} }
type server struct { type server struct {
@ -987,12 +986,6 @@ func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *user.User) err
return nil return nil
} }
// recordSSH is a temporary dev knob to test the SSH recording
// functionality and support off-node streaming.
//
// TODO(bradfitz,maisem): move this to SSHPolicy.
var recordSSH = envknob.RegisterBool("TS_DEBUG_LOG_SSH")
// run is the entrypoint for a newly accepted SSH session. // run is the entrypoint for a newly accepted SSH session.
// //
// It handles ss once it's been accepted and determined // It handles ss once it's been accepted and determined
@ -1127,10 +1120,9 @@ func (ss *sshSession) run() {
func (ss *sshSession) shouldRecord() bool { func (ss *sshSession) shouldRecord() bool {
// for now only record pty sessions // for now only record pty sessions
// TODO(bradfitz,maisem): make configurable on SSHPolicy and // TODO(bradfitz,maisem): support recording non-pty stuff too.
// support recording non-pty stuff too.
_, _, isPtyReq := ss.Pty() _, _, isPtyReq := ss.Pty()
return recordSSH() && isPtyReq return isPtyReq && len(ss.conn.finalAction.Recorders) > 0
} }
type sshConnInfo struct { type sshConnInfo struct {
@ -1313,10 +1305,15 @@ func randBytes(n int) []byte {
} }
// startNewRecording starts a new SSH session recording. // startNewRecording starts a new SSH session recording.
//
// It writes an asciinema file to
// $TAILSCALE_VAR_ROOT/ssh-sessions/ssh-session-<unixtime>-*.cast.
func (ss *sshSession) startNewRecording() (_ *recording, err error) { func (ss *sshSession) startNewRecording() (_ *recording, err error) {
if len(ss.conn.finalAction.Recorders) == 0 {
return nil, errors.New("no recorders configured")
}
recorder := ss.conn.finalAction.Recorders[0]
if len(ss.conn.finalAction.Recorders) > 1 {
ss.logf("warning: multiple recorders configured, using first one: %v", recorder)
}
var w ssh.Window var w ssh.Window
if ptyReq, _, isPtyReq := ss.Pty(); isPtyReq { if ptyReq, _, isPtyReq := ss.Pty(); isPtyReq {
w = ptyReq.Window w = ptyReq.Window
@ -1332,25 +1329,33 @@ func (ss *sshSession) startNewRecording() (_ *recording, err error) {
ss: ss, ss: ss,
start: now, start: now,
} }
varRoot := ss.conn.srv.lb.TailscaleVarRoot()
if varRoot == "" { pr, pw := io.Pipe()
return nil, errors.New("no var root for recording storage") req, err := http.NewRequestWithContext(ss.ctx, "POST", fmt.Sprintf("http://%s:%d/record", recorder.Addr(), recorder.Port()), pr)
} if err != nil {
dir := filepath.Join(varRoot, "ssh-sessions") pr.Close()
if err := os.MkdirAll(dir, 0700); err != nil { pw.Close()
return nil, err return nil, err
} }
defer func() { go func() {
defer pw.Close()
ss.logf("starting asciinema recording to %s", recorder)
// We just use the default client here, which has a 30s dial timeout.
resp, err := http.DefaultClient.Do(req)
if err != nil { if err != nil {
rec.Close() ss.cancelCtx(err)
ss.logf("recording: error sending recording to %s: %v", recorder, err)
return
}
defer resp.Body.Close()
defer ss.cancelCtx(errors.New("recording: done"))
if resp.StatusCode != http.StatusOK {
ss.logf("recording: error sending recording to %s: %v", recorder, resp.Status)
} }
}() }()
f, err := os.CreateTemp(dir, fmt.Sprintf("ssh-session-%v-*.cast", now.UnixNano())) rec.out = pw
if err != nil {
return nil, err
}
rec.out = f
// {"version": 2, "width": 221, "height": 84, "timestamp": 1647146075, "env": {"SHELL": "/bin/bash", "TERM": "screen"}} // {"version": 2, "width": 221, "height": 84, "timestamp": 1647146075, "env": {"SHELL": "/bin/bash", "TERM": "screen"}}
type CastHeader struct { type CastHeader struct {
@ -1359,6 +1364,12 @@ type CastHeader struct {
Height int `json:"height"` Height int `json:"height"`
Timestamp int64 `json:"timestamp"` Timestamp int64 `json:"timestamp"`
Env map[string]string `json:"env"` Env map[string]string `json:"env"`
// Tailscale-specific fields:
SrcNode string `json:"srcNode"` // name
SrcNodeID tailcfg.StableNodeID `json:"srcNodeID"`
SSHUser string `json:"sshUser"`
LocalUser string `json:"localUser"`
} }
j, err := json.Marshal(CastHeader{ j, err := json.Marshal(CastHeader{
Version: 2, Version: 2,
@ -1376,15 +1387,16 @@ type CastHeader struct {
// it. Then we can (1) make the cmd, (2) start the // it. Then we can (1) make the cmd, (2) start the
// recording, (3) start the process. // recording, (3) start the process.
}, },
SSHUser: ss.conn.info.sshUser,
LocalUser: ss.conn.localUser.Username,
SrcNode: ss.conn.info.node.Name,
SrcNodeID: ss.conn.info.node.StableID,
}) })
if err != nil { if err != nil {
f.Close()
return nil, err return nil, err
} }
ss.logf("starting asciinema recording to %s", f.Name())
j = append(j, '\n') j = append(j, '\n')
if _, err := f.Write(j); err != nil { if _, err := pw.Write(j); err != nil {
f.Close()
return nil, err return nil, err
} }
return rec, nil return rec, nil
@ -1396,7 +1408,7 @@ type recording struct {
start time.Time start time.Time
mu sync.Mutex // guards writes to, close of out mu sync.Mutex // guards writes to, close of out
out *os.File // nil if closed out io.WriteCloser
} }
func (r *recording) Close() error { func (r *recording) Close() error {
@ -1415,10 +1427,17 @@ func (r *recording) Close() error {
// The dir should be "i" for input or "o" for output. // The dir should be "i" for input or "o" for output.
// //
// If r is nil, it returns w unchanged. // If r is nil, it returns w unchanged.
//
// Currently (2023-03-21) we only record output, not input.
func (r *recording) writer(dir string, w io.Writer) io.Writer { func (r *recording) writer(dir string, w io.Writer) io.Writer {
if r == nil { if r == nil {
return w return w
} }
if dir == "i" {
// TODO: record input? Maybe not, since it might contain
// passwords.
return w
}
return &loggingWriter{r, dir, w} return &loggingWriter{r, dir, w}
} }