From 91a187bf87e264618c0708953ecaa3cdd0236b70 Mon Sep 17 00:00:00 2001
From: Maisem Ali <maisem@tailscale.com>
Date: Mon, 18 Apr 2022 16:23:49 -0700
Subject: [PATCH] ssh/tailssh: make checkStillValid also consider username
 changes

Currently if the policy changes and the session is logged in with local
user "u1" and the new policy says they can only login with "u2" now, the
user doesn't get kicked out because they had requested
`rando@<ssh-host>` and the defaulting had made that go to `u1`.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
---
 ssh/tailssh/tailssh.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go
index ae831f16d..cffd7016b 100644
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -524,8 +524,8 @@ func (srv *server) newSSHSession(s ssh.Session, ci *sshConnInfo, lu *user.User)
 // If not, it terminates the session.
 func (ss *sshSession) checkStillValid() {
 	ci := ss.connInfo
-	a, _, _, err := ss.srv.evaluatePolicy(ci.sshUser, ci.src, ci.dst, ci.pubKey)
-	if err == nil && (a.Accept || a.HoldAndDelegate != "") {
+	a, _, lu, err := ss.srv.evaluatePolicy(ci.sshUser, ci.src, ci.dst, ci.pubKey)
+	if err == nil && (a.Accept || a.HoldAndDelegate != "") && lu == ss.localUser.Username {
 		return
 	}
 	ss.logf("session no longer valid per new SSH policy; closing")