ssh/tailssh: close sessions on policy change if no longer allowed

Updates #3802 Change-Id: I98503c2505b77ac9d0cc792614fcdb691761a70c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2022-04-17 11:49:56 -07:00
parent 4ec83fbad6
commit ade7bd8745
2 changed files with 55 additions and 26 deletions
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -76,6 +76,11 @@ func getControlDebugFlags() []string {
 // SSHServer is the interface of the conditionally linked ssh/tailssh.server.
 type SSHServer interface {
 	HandleSSHConn(net.Conn) error
+
+	// OnPolicyChange is called when the SSH access policy changes,
+	// so that existing sessions can be re-evaluated for validity
+	// and closed if they'd no longer be accepted.
+	OnPolicyChange()
 }

 type newSSHServerFunc func(logger.Logf, *LocalBackend) (SSHServer, error)
@@ -1148,6 +1153,10 @@ func (b *LocalBackend) updateFilterLocked(netMap *netmap.NetworkMap, prefs *ipn.
 		b.logf("[v1] netmap packet filter: %v filters", len(packetFilter))
 		b.setFilter(filter.New(packetFilter, localNets, logNets, oldFilter, b.logf))
 	}
+
+	if b.sshServer != nil {
+		go b.sshServer.OnPolicyChange()
+	}
 }

 func (b *LocalBackend) setFilter(f *filter.Filter) {