TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-11-04 09:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
4,070 Commits 1,011 Branches 199 Tags
43f9c25fd2d39f6ac0d0b08701ba7a6dcc231874
Commit Graph

67 Commits

Author SHA1 Message Date
Brad Fitzpatrick
e428bba7a3 ssh/tailssh: add metrics 
Updates #3802

Change-Id: Ic9a4b8c51cff6dfe148a1c78bc0e5074195b7f80
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-06-02 08:18:53 -07:00
Maisem Ali
928530a112 ipn/ipnlocal: shutdown sshServer on tailscale down 
Also lazify SSHServer initialization to allow restarting the server on a
subsequent `tailscale up`

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-05-30 15:01:22 +05:00
Maisem Ali
575aacb1e2 ssh/tailssh: terminate sessions on stdout copy failures 
Currently, killing a SCP copy with a Ctrl+C leaves the session hanging
even though the stdout copy goroutine fails with an io.EOF. Taking a
step back, when we are unable to send any more data back to the client
we should just terminate the session as the client will stop getting any
response from the server anyways.

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-05-28 21:30:54 +05:00
Maisem Ali
7cd8c3e839 ssh/tailssh: terminate sessions when tailscaled shutsdown 
Ideally we would re-establish these sessions when tailscaled comes back
up, however we do not do that yet so this is better than leaking the
sessions.

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-05-28 21:30:54 +05:00
Maisem Ali
760740905e ssh/tailssh: only use login with TTY sessions 
Otherwise, the shell exits immediately causing applications like mosh
and VSCode to fail.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-05-28 21:03:40 +05:00
Maisem Ali
5cd56fe8d5 ssh/tailssh: exec into login when launching a shell 
This has the added benefit of displaying the MOTD and reducing our
dependency on the DBus interface.

Fixes #4627
Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-05-09 19:17:52 -07:00
Maisem Ali
a253057fc3 ssh/tailssh: refactor incubator flags 
Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-05-09 19:17:52 -07:00
Brad Fitzpatrick
c1445155ef ssh/tailssh: handle Control-C during hold-and-delegate prompt 
Fixes #4549

Change-Id: Iafc61af5e08cd03564d39cf667e940b2417714cc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-05-05 11:47:08 -07:00
Maisem Ali
3012a2e1ca ssh/tailssh,ipn/ipnlocal: terminate any active sessions on up --ssh=false 
Currently the ssh session isn't terminated cleanly, instead the packets
are just are no longer routed to the in-proc SSH server. This makes it
so that clients get a disconnection when the `RunSSH` pref changes to
`false`.

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-04-29 16:08:27 -07:00
Brad Fitzpatrick
910ae68e0b util/mak: move tailssh's mapSet into a new package for reuse elsewhere 
Change-Id: Idfe95db82275fd2be6ca88f245830731a0d5aecf
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-04-21 21:20:10 -07:00
James Tucker
c2eff20008 ssh/tailssh: avoid user ssh configuration in tests 
Signed-off-by: James Tucker <james@tailscale.com>
 2022-04-21 19:17:34 -07:00
David Anderson
a364bf2b62 ssh/tailssh: various typo fixes, clarifications. 
Signed-off-by: David Anderson <danderson@tailscale.com>
 2022-04-21 15:04:13 -07:00
Brad Fitzpatrick
c994eba763 ssh/tailssh: simplify matchRule with Reject rules 
Updates #3802

Change-Id: I59fe111eef5ac8abbcbcec922e293712a65a4830
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-04-21 15:04:02 -07:00
Maisem Ali
31094d557b ssh/tailssh: chmod the auth socket to be only user accessible 
Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-04-21 14:49:22 -07:00
Maisem Ali
337c77964b ssh/tailssh: set groups and gid in the incubated process 
Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-04-21 14:48:34 -07:00
Brad Fitzpatrick
8ac4d52b59 ssh/tailssh: filter accepted environment variables 
Noted by @danderson

Updates #3802

Change-Id: Iac70717ed57f11726209ac1ea93ddc6696605f94
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-04-21 14:44:46 -07:00
Brad Fitzpatrick
89832c1a95 tailcfg: fix typo in SessionDuration field name 
Noted by @danderson.

Updates #3802

Change-Id: Ide15f3f28e30f6abb5c94d7dcd218bd9482752a0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-04-21 14:19:58 -07:00
Maisem Ali
695f8a1d7e ssh/tailssh: add support for sftp 
Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-04-21 10:52:22 -07:00
Brad Fitzpatrick
5b4154342e ssh/tailssh: fix double SSH-2.0- prefix in greeting banner 
gliderlabs/ssh was already adding the "SSH-2.0-" prefix.

Updates #3802

Change-Id: I19a1cd9308371a2898e7883cf26e94c9b54bab29
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-04-20 20:08:39 -07:00
Maisem Ali
2b8b887d55 ssh/tailssh: send banner messages during auth, move more to conn 
(VSCode Live Share between Brad & Maisem!)

Updates #3802

Change-Id: Id8edca4481b0811debfdf56d4ccb1a46f71dd6d3
Co-Authored-By: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-04-20 18:34:11 -07:00
Brad Fitzpatrick
f74ee80abe ssh/tailssh: support expansions in public key fetch URL too 
Updates #3802

Change-Id: I5aa98bdab14fd1c1c00ba63b93f8d7e670f72437
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-04-20 14:04:50 -07:00
Maisem Ali
14d077fc3a ssh/tailssh: terminate ssh auth early if no policy can match 
Also bump github.com/tailscale/golang-x-crypto/ssh

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-04-20 13:44:04 -07:00
Brad Fitzpatrick
8b81254992 ipn/ipnlocal: reject tailscale up --ssh if disabled on tailnet 
Updates #3802

Change-Id: I3f1e839391fe9b28270f506f4bb8d8e3d36716f5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-04-20 11:38:27 -07:00
Maisem Ali
91a187bf87 ssh/tailssh: make checkStillValid also consider username changes 
Currently if the policy changes and the session is logged in with local
user "u1" and the new policy says they can only login with "u2" now, the
user doesn't get kicked out because they had requested
`rando@<ssh-host>` and the defaulting had made that go to `u1`.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-04-18 16:34:06 -07:00
Brad Fitzpatrick
93221b4535 ssh/tailssh: cache public keys fetched from URLs 
Updates #3802

Change-Id: I96715bae02bce6ea19f16b1736d1bbcd7bcf3534
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-04-18 07:46:38 -07:00
Brad Fitzpatrick
ade7bd8745 ssh/tailssh: close sessions on policy change if no longer allowed 
Updates #3802

Change-Id: I98503c2505b77ac9d0cc792614fcdb691761a70c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-04-17 15:29:44 -07:00
Brad Fitzpatrick
8ee044ea4a ssh/tailssh: make the SSH server a singleton, register with LocalBackend 
Remove the weird netstack -> tailssh dependency and instead have tailssh
register itself with ipnlocal when linked.

This makes tailssh.server a singleton, so we can have a global map of
all sessions.

Updates #3802

Change-Id: Iad5caec3a26a33011796878ab66b8e7b49339f29
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-04-15 13:45:39 -07:00
Brad Fitzpatrick
da14e024a8 tailcfg, ssh/tailssh: optionally support SSH public keys in wire policy 
And clean up logging.

Updates #3802

Change-Id: I756dc2d579a16757537142283d791f1d0319f4f0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-04-15 13:36:57 -07:00
Brad Fitzpatrick
3d180c0376 go.mod, ssh/tailssh, tempfork/gliderlabs: bump x/crypto/ssh fork for NoClientAuthCallback 
Prep for evaluating SSHPolicy earlier to decide whether certs are
required, which requires knowing the target SSH user.

Updates #3802

Change-Id: I2753ec8069e7f19c9121300d0fb0813c1c627c36
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-03-29 18:17:34 -07:00
Brad Fitzpatrick
5a44f9f5b5 tempfork: temporarily fork gliderlabs/ssh and x/crypto/ssh 
While we rearrange/upstream things.

gliderlabs/ssh is forked into tempfork from our prior fork
at be8b7add40

x/crypto/ssh OTOH is forked at
https://github.com/tailscale/golang-x-crypto because it was gnarlier
to vendor with various internal packages, etc.
Its git history shows where it starts (2c7772ba30643b7a2026cbea938420dce7c6384d).

Updates #3802

Change-Id: I546e5cdf831cfc030a6c42557c0ad2c58766c65f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-03-26 21:07:01 -07:00
Brad Fitzpatrick
0861923c21 ssh/tailssh, tailcfg: add more HoldAndDelegate expansions, document 
Updates #3802

Change-Id: I447f06b49e2a917bffe36881d0634c9195085512
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-03-22 17:56:45 -07:00
Brad Fitzpatrick
091ea4a4a5 ssh/tailssh: support placeholders in SSHAction.HoldAndDelegate URL 
Updates #3802

Change-Id: I60f9827409d14fd4f4824d102ba11db49bf0d365
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-03-22 16:02:40 -07:00
Brad Fitzpatrick
f7e976db55 tailcfg, ssh/tailssh: make SSHUser value '=' map ssh-user to same local-user 
Updates #3802

Change-Id: Icde60d4150ca15c25d615a4effb3d3c236f020a8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-03-21 10:49:37 -07:00
Brad Fitzpatrick
f30473211b ssh/tailssh: start of implementing optional session recording 
To asciinema cast format.

Updates #3802

Change-Id: Ifd3ea31922cd2c99068369cb1650e21f2545b0e1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-03-19 12:59:51 -07:00
Josh Bleecher Snyder
32fd42430b all: use cibuild.On 
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 2022-03-18 15:19:26 -07:00
Maisem Ali
b775df0b57 ssh/tailssh_test: skip TestSSH/stdin in CI 
Updates #4051

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-03-18 10:57:12 -07:00
Maisem Ali
1e12a29806 ssh/tailssh_test: Skip the env test in CI 
Updates #4051

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-03-17 14:34:49 -07:00
Josh Bleecher Snyder
0868329936 all: use any instead of interface{} 
My favorite part of generics.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
 2022-03-17 11:35:09 -07:00
Maisem Ali
45a7f6689c tailcfg: add field to allow LocalPortForwarding in SSHAction 
Updates #3802, #4129

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-03-14 13:39:42 -07:00
Maisem Ali
98b45ef12c ssh/tailssh: add support for agent forwarding. 
Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-03-14 13:38:53 -07:00
Brad Fitzpatrick
6e86bbcb06 ssh/tailssh: add a new sshSession type to clean up existing+future code 
Updates #3802

Change-Id: I7054dca387f5e5aee1185937ecf41b77a5a07f1a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Co-authored-by: Maisem Ali <maisem@tailscale.com>
 2022-03-14 12:01:49 -07:00
Maisem Ali
462e75666b ssh/tailssh: start sending the server version 
Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-03-12 19:40:51 -08:00
Maisem Ali
bf3559171f ssh/tailssh: set DBUS_SESSION_BUS_ADDRESS and SSH_TTY variables 
Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-03-12 19:40:51 -08:00
Maisem Ali
6d61b7906e ssh/tailssh: handle terminal opcodes 
Updates #3802 #4146

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-03-12 17:57:07 -08:00
Maisem Ali
da6ce27416 go.mod: move from github.com/gliderlabs/ssh to github.com/tailscale/ssh 
Updates #4146

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-03-12 17:57:07 -08:00
Brad Fitzpatrick
012098ec32 ssh/tailssh: fix terminal corruption (temporary hack) 
Maisem figured out the real problem but will take several commits
(e.g. tailscale/ssh#2) in different repos to get it fixed
properly. This is an interim hack.

Details of real fix:
https://github.com/tailscale/tailscale/issues/4146#issuecomment-1065952947

Updates #4146
Updates #3802

Change-Id: I7b7dc5713baa3e5de75b87b69e7179a6e7549b0b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-03-12 14:19:45 -08:00
Brad Fitzpatrick
ba1adf6c24 ssh/tailssh: make pty termios options match OpenSSH 
Still not sure the exact rules of how/when/who's supposed to set
these, but this works for now on making them match. Baby steps.
Will research more and adjust later.

Updates #4146 (but not enough to fix it, something's still wrong)
Updates #3802

Change-Id: I496d8cd7e31d45fe9ede88fc8894f35dc096de67
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-03-11 12:16:10 -08:00
Brad Fitzpatrick
1dd5cf62a5 ssh/tailssh: start login shell, fix arg passing, width/height mismatch 
Updates #3802

Change-Id: I137d7a79195ee86d5dd7c8999f2797fc3cb57cec
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-03-10 20:11:41 -08:00
Brad Fitzpatrick
efc48b0578 ssh/tailssh, ipnlocal, controlclient: fetch next SSHAction from network 
Updates #3802

Change-Id: I08e98805ab86d6bbabb6c365ed4526f54742fd8e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2022-03-10 13:41:08 -08:00
Maisem Ali
56bf2ce642 ssh/tailssh: handle local port forwarding 
Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2022-03-09 11:31:04 -08:00