mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 04:55:31 +00:00
tailcfg: clarify how SSHPolicy.Rules are evaluated between auth phases
Updates #3802 Change-Id: I321183a8a2b065a40dca8dd95ca90cd822a17ff8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
parent
91a187bf87
commit
c13be0c509
@ -1636,9 +1636,21 @@ type SetDNSResponse struct{
|
|||||||
// SSHPolicy is the policy for how to handle incoming SSH connections
|
// SSHPolicy is the policy for how to handle incoming SSH connections
|
||||||
// over Tailscale.
|
// over Tailscale.
|
||||||
type SSHPolicy struct {
|
type SSHPolicy struct {
|
||||||
// Rules are the rules to process for an incoming SSH
|
// Rules are the rules to process for an incoming SSH connection. The first
|
||||||
// connection. The first matching rule takes its action and
|
// matching rule takes its action and stops processing further rules.
|
||||||
// stops processing further rules.
|
//
|
||||||
|
// When an incoming connection first starts, all rules are evaluated in
|
||||||
|
// "none" auth mode, where the client hasn't even been asked to send a
|
||||||
|
// public key. All SSHRule.Principals requiring a public key won't match. If
|
||||||
|
// a rule matches on the first pass and its Action is reject, the
|
||||||
|
// authentication fails with that action's rejection message, if any.
|
||||||
|
//
|
||||||
|
// If the first pass rule evaluation matches nothing without matching an
|
||||||
|
// Action with Reject set, the rules are considered to see whether public
|
||||||
|
// keys might still result in a match. If not, "none" auth is terminated
|
||||||
|
// before proceeding to public key mode. If so, the client is asked to try
|
||||||
|
// public key authentication and the rules are evaluated again for each of
|
||||||
|
// the client's present keys.
|
||||||
Rules []*SSHRule `json:"rules"`
|
Rules []*SSHRule `json:"rules"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user