TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2024-11-25 19:15:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

ssh/tailssh: make checkStillValid also consider username changes

Browse Source 
Currently if the policy changes and the session is logged in with local
user "u1" and the new policy says they can only login with "u2" now, the
user doesn't get kicked out because they had requested
`rando@<ssh-host>` and the defaulting had made that go to `u1`.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali 2022-04-18 16:23:49 -07:00 committed by Maisem Ali
parent a04eebf59f
commit 91a187bf87
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ssh/tailssh/tailssh.go
View File

@ -524,8 +524,8 @@ func (srv *server) newSSHSession(s ssh.Session, ci *sshConnInfo, lu *user.User)
// If not, it terminates the session.
func (ss *sshSession) checkStillValid() {
ci := ss.connInfo
a, _, _, err := ss.srv.evaluatePolicy(ci.sshUser, ci.src, ci.dst, ci.pubKey)
if err == nil && (a.Accept || a.HoldAndDelegate != "") {
a, _, lu, err := ss.srv.evaluatePolicy(ci.sshUser, ci.src, ci.dst, ci.pubKey)
if err == nil && (a.Accept || a.HoldAndDelegate != "") && lu == ss.localUser.Username {
return
}
ss.logf("session no longer valid per new SSH policy; closing")