ssh/tailssh: support expansions in public key fetch URL too

Updates #3802 Change-Id: I5aa98bdab14fd1c1c00ba63b93f8d7e670f72437 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-13 22:47:30 +00:00 · 2022-04-20 13:53:01 -07:00
parent 14d077fc3a
commit f74ee80abe
2 changed files with 37 additions and 1 deletions
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -541,6 +541,22 @@ func (srv *server) expandDelegateURL(ci *sshConnInfo, lu *user.User, actionURL s
 	).Replace(actionURL)
 }

+func (ci *sshConnInfo) expandPublicKeyURL(pubKeyURL string) string {
+	if !strings.Contains(pubKeyURL, "$") {
+		return pubKeyURL
+	}
+	var localPart string
+	var loginName string
+	if ci.uprof != nil {
+		loginName = ci.uprof.LoginName
+		localPart, _, _ = strings.Cut(loginName, "@")
+	}
+	return strings.NewReplacer(
+		"$LOGINNAME_EMAIL", loginName,
+		"$LOGINNAME_LOCALPART", localPart,
+	).Replace(pubKeyURL)
+}
+
 // sshSession is an accepted Tailscale SSH session.
 type sshSession struct {
 	ssh.Session
@@ -1011,7 +1027,7 @@ func principalMatchesPubKey(p *tailcfg.SSHPrincipal, ci *sshConnInfo, clientPubK
 			return false, fmt.Errorf("no public key fetcher")
 		}
 		var err error
-		knownKeys, err = ci.fetchPublicKeysURL(knownKeys[0])
+		knownKeys, err = ci.fetchPublicKeysURL(ci.expandPublicKeyURL(knownKeys[0]))
 		if err != nil {
 			return false, err
 		}