mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 04:55:31 +00:00
ssh/tailssh: make checkStillValid also consider username changes
Currently if the policy changes and the session is logged in with local user "u1" and the new policy says they can only login with "u2" now, the user doesn't get kicked out because they had requested `rando@<ssh-host>` and the defaulting had made that go to `u1`. Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
parent
a04eebf59f
commit
91a187bf87
@ -524,8 +524,8 @@ func (srv *server) newSSHSession(s ssh.Session, ci *sshConnInfo, lu *user.User)
|
||||
// If not, it terminates the session.
|
||||
func (ss *sshSession) checkStillValid() {
|
||||
ci := ss.connInfo
|
||||
a, _, _, err := ss.srv.evaluatePolicy(ci.sshUser, ci.src, ci.dst, ci.pubKey)
|
||||
if err == nil && (a.Accept || a.HoldAndDelegate != "") {
|
||||
a, _, lu, err := ss.srv.evaluatePolicy(ci.sshUser, ci.src, ci.dst, ci.pubKey)
|
||||
if err == nil && (a.Accept || a.HoldAndDelegate != "") && lu == ss.localUser.Username {
|
||||
return
|
||||
}
|
||||
ss.logf("session no longer valid per new SSH policy; closing")
|
||||
|
Loading…
Reference in New Issue
Block a user