From c5bf868940d89315f403e2e1dcab67b0c1aa0a46 Mon Sep 17 00:00:00 2001 From: Tom DNetto Date: Mon, 1 May 2023 13:17:16 -0700 Subject: [PATCH] ssh/tailssh: improve debug logging around revoked sessions Updates https://github.com/tailscale/corp/issues/10943 Signed-off-by: Tom DNetto --- ssh/tailssh/tailssh.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go index 37e73e140..2ba20e00c 100644 --- a/ssh/tailssh/tailssh.go +++ b/ssh/tailssh/tailssh.go @@ -236,6 +236,12 @@ func (c *conn) logf(format string, args ...any) { c.srv.logf(format, args...) } +func (c *conn) vlogf(format string, args ...any) { + if sshVerboseLogging() { + c.logf(format, args...) + } +} + // isAuthorized walks through the action chain and returns nil if the connection // is authorized. If the connection is not authorized, it returns // gossh.ErrDenied. If the action chain resolution fails, it returns the @@ -841,6 +847,7 @@ func (c *conn) newSSHSession(s ssh.Session) *sshSession { // isStillValid reports whether the conn is still valid. func (c *conn) isStillValid() bool { a, localUser, err := c.evaluatePolicy(c.pubKey) + c.vlogf("stillValid: %+v %v %v", a, localUser, err) if err != nil { return false } @@ -1211,6 +1218,10 @@ func (c *conn) evalSSHPolicy(pol *tailcfg.SSHPolicy, pubKey gossh.PublicKey) (a ) func (c *conn) matchRule(r *tailcfg.SSHRule, pubKey gossh.PublicKey) (a *tailcfg.SSHAction, localUser string, err error) { + defer func() { + c.vlogf("matchRule(%+v): %v", r, err) + }() + if c == nil { return nil, "", errInvalidConn }