tailscale

mirror of https://github.com/tailscale/tailscale.git synced 2024-11-25 19:15:34 +00:00

Author	SHA1	Message	Date
Brad Fitzpatrick	8b81254992	ipn/ipnlocal: reject tailscale up --ssh if disabled on tailnet Updates #3802 Change-Id: I3f1e839391fe9b28270f506f4bb8d8e3d36716f5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-04-20 11:38:27 -07:00
Maisem Ali	91a187bf87	ssh/tailssh: make checkStillValid also consider username changes Currently if the policy changes and the session is logged in with local user "u1" and the new policy says they can only login with "u2" now, the user doesn't get kicked out because they had requested `rando@<ssh-host>` and the defaulting had made that go to `u1`. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-04-18 16:34:06 -07:00
Brad Fitzpatrick	93221b4535	ssh/tailssh: cache public keys fetched from URLs Updates #3802 Change-Id: I96715bae02bce6ea19f16b1736d1bbcd7bcf3534 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-04-18 07:46:38 -07:00
Brad Fitzpatrick	ade7bd8745	ssh/tailssh: close sessions on policy change if no longer allowed Updates #3802 Change-Id: I98503c2505b77ac9d0cc792614fcdb691761a70c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-04-17 15:29:44 -07:00
Brad Fitzpatrick	8ee044ea4a	ssh/tailssh: make the SSH server a singleton, register with LocalBackend Remove the weird netstack -> tailssh dependency and instead have tailssh register itself with ipnlocal when linked. This makes tailssh.server a singleton, so we can have a global map of all sessions. Updates #3802 Change-Id: Iad5caec3a26a33011796878ab66b8e7b49339f29 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-04-15 13:45:39 -07:00
Brad Fitzpatrick	da14e024a8	tailcfg, ssh/tailssh: optionally support SSH public keys in wire policy And clean up logging. Updates #3802 Change-Id: I756dc2d579a16757537142283d791f1d0319f4f0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-04-15 13:36:57 -07:00
Brad Fitzpatrick	3d180c0376	go.mod, ssh/tailssh, tempfork/gliderlabs: bump x/crypto/ssh fork for NoClientAuthCallback Prep for evaluating SSHPolicy earlier to decide whether certs are required, which requires knowing the target SSH user. Updates #3802 Change-Id: I2753ec8069e7f19c9121300d0fb0813c1c627c36 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-03-29 18:17:34 -07:00
Brad Fitzpatrick	5a44f9f5b5	tempfork: temporarily fork gliderlabs/ssh and x/crypto/ssh While we rearrange/upstream things. gliderlabs/ssh is forked into tempfork from our prior fork at `be8b7add40` x/crypto/ssh OTOH is forked at https://github.com/tailscale/golang-x-crypto because it was gnarlier to vendor with various internal packages, etc. Its git history shows where it starts (2c7772ba30643b7a2026cbea938420dce7c6384d). Updates #3802 Change-Id: I546e5cdf831cfc030a6c42557c0ad2c58766c65f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-03-26 21:07:01 -07:00
Brad Fitzpatrick	0861923c21	ssh/tailssh, tailcfg: add more HoldAndDelegate expansions, document Updates #3802 Change-Id: I447f06b49e2a917bffe36881d0634c9195085512 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-03-22 17:56:45 -07:00
Brad Fitzpatrick	091ea4a4a5	ssh/tailssh: support placeholders in SSHAction.HoldAndDelegate URL Updates #3802 Change-Id: I60f9827409d14fd4f4824d102ba11db49bf0d365 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-03-22 16:02:40 -07:00
Brad Fitzpatrick	f7e976db55	tailcfg, ssh/tailssh: make SSHUser value '=' map ssh-user to same local-user Updates #3802 Change-Id: Icde60d4150ca15c25d615a4effb3d3c236f020a8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-03-21 10:49:37 -07:00
Brad Fitzpatrick	f30473211b	ssh/tailssh: start of implementing optional session recording To asciinema cast format. Updates #3802 Change-Id: Ifd3ea31922cd2c99068369cb1650e21f2545b0e1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-03-19 12:59:51 -07:00
Josh Bleecher Snyder	32fd42430b	all: use cibuild.On Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2022-03-18 15:19:26 -07:00
Maisem Ali	b775df0b57	ssh/tailssh_test: skip TestSSH/stdin in CI Updates #4051 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-03-18 10:57:12 -07:00
Maisem Ali	1e12a29806	ssh/tailssh_test: Skip the env test in CI Updates #4051 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-03-17 14:34:49 -07:00
Josh Bleecher Snyder	0868329936	all: use any instead of interface{} My favorite part of generics. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	2022-03-17 11:35:09 -07:00
Maisem Ali	45a7f6689c	tailcfg: add field to allow LocalPortForwarding in SSHAction Updates #3802, #4129 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-03-14 13:39:42 -07:00
Maisem Ali	98b45ef12c	ssh/tailssh: add support for agent forwarding. Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-03-14 13:38:53 -07:00
Brad Fitzpatrick	6e86bbcb06	ssh/tailssh: add a new sshSession type to clean up existing+future code Updates #3802 Change-Id: I7054dca387f5e5aee1185937ecf41b77a5a07f1a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Co-authored-by: Maisem Ali <maisem@tailscale.com>	2022-03-14 12:01:49 -07:00
Maisem Ali	462e75666b	ssh/tailssh: start sending the server version Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-03-12 19:40:51 -08:00
Maisem Ali	bf3559171f	ssh/tailssh: set DBUS_SESSION_BUS_ADDRESS and SSH_TTY variables Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-03-12 19:40:51 -08:00
Maisem Ali	6d61b7906e	ssh/tailssh: handle terminal opcodes Updates #3802 #4146 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-03-12 17:57:07 -08:00
Maisem Ali	da6ce27416	go.mod: move from github.com/gliderlabs/ssh to github.com/tailscale/ssh Updates #4146 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-03-12 17:57:07 -08:00
Brad Fitzpatrick	012098ec32	ssh/tailssh: fix terminal corruption (temporary hack) Maisem figured out the real problem but will take several commits (e.g. tailscale/ssh#2) in different repos to get it fixed properly. This is an interim hack. Details of real fix: https://github.com/tailscale/tailscale/issues/4146#issuecomment-1065952947 Updates #4146 Updates #3802 Change-Id: I7b7dc5713baa3e5de75b87b69e7179a6e7549b0b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-03-12 14:19:45 -08:00
Brad Fitzpatrick	ba1adf6c24	ssh/tailssh: make pty termios options match OpenSSH Still not sure the exact rules of how/when/who's supposed to set these, but this works for now on making them match. Baby steps. Will research more and adjust later. Updates #4146 (but not enough to fix it, something's still wrong) Updates #3802 Change-Id: I496d8cd7e31d45fe9ede88fc8894f35dc096de67 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-03-11 12:16:10 -08:00
Brad Fitzpatrick	1dd5cf62a5	ssh/tailssh: start login shell, fix arg passing, width/height mismatch Updates #3802 Change-Id: I137d7a79195ee86d5dd7c8999f2797fc3cb57cec Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-03-10 20:11:41 -08:00
Brad Fitzpatrick	efc48b0578	ssh/tailssh, ipnlocal, controlclient: fetch next SSHAction from network Updates #3802 Change-Id: I08e98805ab86d6bbabb6c365ed4526f54742fd8e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-03-10 13:41:08 -08:00
Maisem Ali	56bf2ce642	ssh/tailssh: handle local port forwarding Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-03-09 11:31:04 -08:00
Maisem Ali	598c7a22e7	ssh/tailssh: use lu.Username not lu.Name. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-03-08 22:39:03 -08:00
Maisem Ali	06c147d848	ssh/tailssh: create login sessions for new connections Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-03-08 21:47:19 -08:00
Brad Fitzpatrick	c9a5dadce8	ssh/tailssh: skip flaky test on CI for now Updates #4051 Change-Id: I94f2165dd248eba9ca3f782c907a13bd6dde4a5e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-03-01 19:57:07 -08:00
Maisem Ali	497324ddf6	ipn/store: add common package for instantiating ipn.StateStores Also move KubeStore and MemStore into their own package. RELNOTE: tsnet now supports providing a custom ipn.StateStore. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2022-02-28 13:23:33 -08:00
Brad Fitzpatrick	4b50977422	ssh/tailssh: add more SSH tests, blend in env from ssh session Updates #3802 Change-Id: I568c661cacbb0524afcd8be9577457ddba611f19 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-24 16:02:01 -08:00
Brad Fitzpatrick	4cbdc84d27	cmd/tailscaled/childproc: add be-child registration mechanism For ssh and maybe windows service babysitter later. Updates #3802 Change-Id: I7492b98df98971b3fb72d148ba92c2276cca491f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-24 14:20:20 -08:00
Brad Fitzpatrick	6e4f3614cf	ssh/tailssh: add start of real ssh tests Updates #3802 Change-Id: I9aea4250062d3a06ca7a5e71a81d31c27a988615 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-24 14:13:12 -08:00
Brad Fitzpatrick	c9eca9451a	ssh: make it build on darwin For local dev testing initially. Product-wise, it'll probably only be workable on the two unsandboxed builds. Updates #3802 Change-Id: Ic352f966e7fb29aff897217d79b383131bf3f92b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-24 13:00:45 -08:00
Brad Fitzpatrick	cce6aad6c0	ssh/tailssh: fix non-interactive commands as non-root user Updates #3802 Change-Id: I89a3f14420b8782bc407b1939dce54a1d24636da Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-24 12:13:16 -08:00
Brad Fitzpatrick	e2ed06c53c	ssh/tailssh: break a method into half in prep for testing And add a private context type in the process. Updates #3802 Change-Id: I257187f4cfb0f2248d95b81c1dfe0911ef203b60 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-24 09:59:00 -08:00
Brad Fitzpatrick	1b5bb2e81d	ssh/tailssh: rename sshContext to sshConnInfo So it's not confused for a context.Context and we can add contexts later and not look like we have two. Updates #3802 Change-Id: Icf229ae2c020d173f3cbf09a13ccd03a60cbb85e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-24 09:06:21 -08:00
Brad Fitzpatrick	3c2cd854be	ssh/tailssh: flesh out env, support non-pty commands Updates #3802 Change-Id: I7022460117542a5424919144828bf571c7c19ec0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-23 15:00:41 -08:00
Brad Fitzpatrick	03caa95bf2	ssh/tailssh: get login shell when running as non-root And also reject attempts to use other users. Updates #3802 Change-Id: Iddc85f6ea2dba17d12be66a50408d24c1f92833e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-18 19:22:11 -08:00
Brad Fitzpatrick	e1e20f6d39	ssh/tailssh: evaluate tailcfg.SSHPolicy on incoming connections Updates #3802 Fixes #3960 Change-Id: Ieda2007d462ddce6c217b958167417ae9755774e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-18 18:07:39 -08:00
Brad Fitzpatrick	bb93e29d5c	tailcfg, ipn/ipnlocal: add Hostinfo.SSH_HostKeys, send when SSH enabled (The name SSH_HostKeys is bad but SSHHostKeys is worse.) Updates #3802 Change-Id: I2a889019c9e8b065b668dd58140db4fcab868a91 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-17 15:46:57 -08:00
Brad Fitzpatrick	fbff1555fc	ipnlocal, tailssh: start moving host key stuff into the right spot Make tailssh ask LocalBackend for the SSH hostkeys, as we'll need to distribute them to peers. For now only the hacky use-same-as-actual-host mode is implemented. Updates #3802 Change-Id: I819dcb25c14e42e6692c441186c1dc744441592b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-17 14:01:50 -08:00
Brad Fitzpatrick	1b87e025e9	ssh/tailssh: move SSH code from wgengine/netstack to this new package Still largely incomplete, but in a better home now. Updates #3802 Change-Id: I46c5ffdeb12e306879af801b06266839157bc624 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2022-02-15 12:21:01 -08:00

45 Commits