Eng Zer Jun
f0347e841f
refactor: move from io/ioutil to io and os packages
...
The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.
Reference: https://golang.org/doc/go1.16#ioutil
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-09-15 21:45:53 -07:00
Brad Fitzpatrick
74674b110d
envknob: support changing envknobs post-init
...
Updates #5114
Change-Id: Ia423fc7486e1b3f3180a26308278be0086fae49b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-09-15 15:04:02 -07:00
Brad Fitzpatrick
4950fe60bd
syncs, all: move to using Go's new atomic types instead of ours
...
Fixes #5185
Change-Id: I850dd532559af78c3895e2924f8237ccc328449d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-08-04 07:47:59 -07:00
Brad Fitzpatrick
8725b14056
all: migrate more code code to net/netip directly
...
Instead of going through the tailscale.com/net/netaddr transitional
wrappers.
Updates #5162
Change-Id: I3dafd1c2effa1a6caa9b7151ecf6edd1a3fda3dd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-08-02 13:59:57 -07:00
Maisem Ali
02a765743e
ssh/tailssh: fix deadlock in expandDelegateURL
...
Also rename it to expandDelegateURLLocked, previously it was trying
to acquire the mutex while holding the mutex.
Fixes #5235
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-08-02 12:25:09 -07:00
Brad Fitzpatrick
a12aad6b47
all: convert more code to use net/netip directly
...
perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.)
perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. )
perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. )
goimports -w .
Then delete some stuff from the net/netaddr shim package which is no
longer neeed.
Updates #5162
Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:53:49 -07:00
Brad Fitzpatrick
6a396731eb
all: use various net/netip parse funcs directly
...
Mechanical change with perl+goimports.
Changed {Must,}Parse{IP,IPPrefix,IPPort} to their netip variants, then
goimports -d .
Finally, removed the net/netaddr wrappers, to prevent future use.
Updates #5162
Change-Id: I59c0e38b5fbca5a935d701645789cddf3d7863ad
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 21:12:28 -07:00
Brad Fitzpatrick
7eaf5e509f
net/netaddr: start migrating to net/netip via new netaddr adapter package
...
Updates #5162
Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-07-25 16:20:43 -07:00
Maisem Ali
3e06b9ea7a
ssh/tailssh: add "ssh" to conn logs
...
Fixes #5089
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-07-21 12:42:31 -07:00
Maisem Ali
480fd6c797
ssh/tailssh: handle not-authenticated-yet connections in matchRule
...
Also make more fields in conn.info thread safe, there was previously a
data race here.
Fixes #5110
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-07-21 12:42:31 -07:00
Maisem Ali
af412e8874
ssh/tailssh: better handling of signals and exits
...
We were not handling errors occurred while copying data between the subprocess and the connection.
This makes it so that we pass the appropriate signals when to the process and the connection.
This also fixes mosh.
Updates #4919
Co-authored-by: James Tucker <raggi@tailscale.com>
Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-07-15 09:06:01 -07:00
Maisem Ali
40503ef07a
ssh/tailssh: fix logging typo
...
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-27 13:23:09 -07:00
Maisem Ali
c434e47f2d
ssh/tailssh: always use current time for policy evaluation
...
Whenever the SSH policy changes we revaluate all open connections to
make sure they still have access. This check was using the wrong
timestamp and would match against expired policies, however this really
isn't a problem today as we don't have policy that would be impacted by
this check. Fixing it for future use.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-27 12:25:04 -07:00
Maisem Ali
a7d2024e35
ssh/tailssh: allow multiple sessions on the same conn
...
Fixes #4920
Fixes tailscale/corp#5633
Updates #4479
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-06-27 11:54:54 -07:00
Brad Fitzpatrick
e428bba7a3
ssh/tailssh: add metrics
...
Updates #3802
Change-Id: Ic9a4b8c51cff6dfe148a1c78bc0e5074195b7f80
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-06-02 08:18:53 -07:00
Maisem Ali
928530a112
ipn/ipnlocal: shutdown sshServer on tailscale down
...
Also lazify SSHServer initialization to allow restarting the server on a
subsequent `tailscale up`
Updates #3802
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-05-30 15:01:22 +05:00
Maisem Ali
575aacb1e2
ssh/tailssh: terminate sessions on stdout copy failures
...
Currently, killing a SCP copy with a Ctrl+C leaves the session hanging
even though the stdout copy goroutine fails with an io.EOF. Taking a
step back, when we are unable to send any more data back to the client
we should just terminate the session as the client will stop getting any
response from the server anyways.
Updates #3802
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-05-28 21:30:54 +05:00
Maisem Ali
7cd8c3e839
ssh/tailssh: terminate sessions when tailscaled shutsdown
...
Ideally we would re-establish these sessions when tailscaled comes back
up, however we do not do that yet so this is better than leaking the
sessions.
Updates #3802
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-05-28 21:30:54 +05:00
Brad Fitzpatrick
c1445155ef
ssh/tailssh: handle Control-C during hold-and-delegate prompt
...
Fixes #4549
Change-Id: Iafc61af5e08cd03564d39cf667e940b2417714cc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-05-05 11:47:08 -07:00
Maisem Ali
3012a2e1ca
ssh/tailssh,ipn/ipnlocal: terminate any active sessions on up --ssh=false
...
Currently the ssh session isn't terminated cleanly, instead the packets
are just are no longer routed to the in-proc SSH server. This makes it
so that clients get a disconnection when the `RunSSH` pref changes to
`false`.
Updates #3802
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-29 16:08:27 -07:00
Brad Fitzpatrick
910ae68e0b
util/mak: move tailssh's mapSet into a new package for reuse elsewhere
...
Change-Id: Idfe95db82275fd2be6ca88f245830731a0d5aecf
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-21 21:20:10 -07:00
David Anderson
a364bf2b62
ssh/tailssh: various typo fixes, clarifications.
...
Signed-off-by: David Anderson <danderson@tailscale.com>
2022-04-21 15:04:13 -07:00
Brad Fitzpatrick
c994eba763
ssh/tailssh: simplify matchRule with Reject rules
...
Updates #3802
Change-Id: I59fe111eef5ac8abbcbcec922e293712a65a4830
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-21 15:04:02 -07:00
Maisem Ali
31094d557b
ssh/tailssh: chmod the auth socket to be only user accessible
...
Updates #3802
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-21 14:49:22 -07:00
Maisem Ali
337c77964b
ssh/tailssh: set groups and gid in the incubated process
...
Updates #3802
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-21 14:48:34 -07:00
Brad Fitzpatrick
89832c1a95
tailcfg: fix typo in SessionDuration field name
...
Noted by @danderson.
Updates #3802
Change-Id: Ide15f3f28e30f6abb5c94d7dcd218bd9482752a0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-21 14:19:58 -07:00
Maisem Ali
695f8a1d7e
ssh/tailssh: add support for sftp
...
Updates #3802
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-21 10:52:22 -07:00
Brad Fitzpatrick
5b4154342e
ssh/tailssh: fix double SSH-2.0- prefix in greeting banner
...
gliderlabs/ssh was already adding the "SSH-2.0-" prefix.
Updates #3802
Change-Id: I19a1cd9308371a2898e7883cf26e94c9b54bab29
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-20 20:08:39 -07:00
Maisem Ali
2b8b887d55
ssh/tailssh: send banner messages during auth, move more to conn
...
(VSCode Live Share between Brad & Maisem!)
Updates #3802
Change-Id: Id8edca4481b0811debfdf56d4ccb1a46f71dd6d3
Co-Authored-By: Brad Fitzpatrick <bradfitz@tailscale.com>
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-20 18:34:11 -07:00
Brad Fitzpatrick
f74ee80abe
ssh/tailssh: support expansions in public key fetch URL too
...
Updates #3802
Change-Id: I5aa98bdab14fd1c1c00ba63b93f8d7e670f72437
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-20 14:04:50 -07:00
Maisem Ali
14d077fc3a
ssh/tailssh: terminate ssh auth early if no policy can match
...
Also bump github.com/tailscale/golang-x-crypto/ssh
Updates #3802
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-20 13:44:04 -07:00
Brad Fitzpatrick
8b81254992
ipn/ipnlocal: reject tailscale up --ssh if disabled on tailnet
...
Updates #3802
Change-Id: I3f1e839391fe9b28270f506f4bb8d8e3d36716f5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-20 11:38:27 -07:00
Maisem Ali
91a187bf87
ssh/tailssh: make checkStillValid also consider username changes
...
Currently if the policy changes and the session is logged in with local
user "u1" and the new policy says they can only login with "u2" now, the
user doesn't get kicked out because they had requested
`rando@<ssh-host>` and the defaulting had made that go to `u1`.
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-04-18 16:34:06 -07:00
Brad Fitzpatrick
93221b4535
ssh/tailssh: cache public keys fetched from URLs
...
Updates #3802
Change-Id: I96715bae02bce6ea19f16b1736d1bbcd7bcf3534
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-18 07:46:38 -07:00
Brad Fitzpatrick
ade7bd8745
ssh/tailssh: close sessions on policy change if no longer allowed
...
Updates #3802
Change-Id: I98503c2505b77ac9d0cc792614fcdb691761a70c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-17 15:29:44 -07:00
Brad Fitzpatrick
8ee044ea4a
ssh/tailssh: make the SSH server a singleton, register with LocalBackend
...
Remove the weird netstack -> tailssh dependency and instead have tailssh
register itself with ipnlocal when linked.
This makes tailssh.server a singleton, so we can have a global map of
all sessions.
Updates #3802
Change-Id: Iad5caec3a26a33011796878ab66b8e7b49339f29
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-15 13:45:39 -07:00
Brad Fitzpatrick
da14e024a8
tailcfg, ssh/tailssh: optionally support SSH public keys in wire policy
...
And clean up logging.
Updates #3802
Change-Id: I756dc2d579a16757537142283d791f1d0319f4f0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-04-15 13:36:57 -07:00
Brad Fitzpatrick
3d180c0376
go.mod, ssh/tailssh, tempfork/gliderlabs: bump x/crypto/ssh fork for NoClientAuthCallback
...
Prep for evaluating SSHPolicy earlier to decide whether certs are
required, which requires knowing the target SSH user.
Updates #3802
Change-Id: I2753ec8069e7f19c9121300d0fb0813c1c627c36
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-29 18:17:34 -07:00
Brad Fitzpatrick
5a44f9f5b5
tempfork: temporarily fork gliderlabs/ssh and x/crypto/ssh
...
While we rearrange/upstream things.
gliderlabs/ssh is forked into tempfork from our prior fork
at be8b7add40
x/crypto/ssh OTOH is forked at
https://github.com/tailscale/golang-x-crypto because it was gnarlier
to vendor with various internal packages, etc.
Its git history shows where it starts (2c7772ba30643b7a2026cbea938420dce7c6384d).
Updates #3802
Change-Id: I546e5cdf831cfc030a6c42557c0ad2c58766c65f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-26 21:07:01 -07:00
Brad Fitzpatrick
0861923c21
ssh/tailssh, tailcfg: add more HoldAndDelegate expansions, document
...
Updates #3802
Change-Id: I447f06b49e2a917bffe36881d0634c9195085512
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-22 17:56:45 -07:00
Brad Fitzpatrick
091ea4a4a5
ssh/tailssh: support placeholders in SSHAction.HoldAndDelegate URL
...
Updates #3802
Change-Id: I60f9827409d14fd4f4824d102ba11db49bf0d365
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-22 16:02:40 -07:00
Brad Fitzpatrick
f7e976db55
tailcfg, ssh/tailssh: make SSHUser value '=' map ssh-user to same local-user
...
Updates #3802
Change-Id: Icde60d4150ca15c25d615a4effb3d3c236f020a8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-21 10:49:37 -07:00
Brad Fitzpatrick
f30473211b
ssh/tailssh: start of implementing optional session recording
...
To asciinema cast format.
Updates #3802
Change-Id: Ifd3ea31922cd2c99068369cb1650e21f2545b0e1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-19 12:59:51 -07:00
Maisem Ali
45a7f6689c
tailcfg: add field to allow LocalPortForwarding in SSHAction
...
Updates #3802 , #4129
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-03-14 13:39:42 -07:00
Maisem Ali
98b45ef12c
ssh/tailssh: add support for agent forwarding.
...
Updates #3802
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-03-14 13:38:53 -07:00
Brad Fitzpatrick
6e86bbcb06
ssh/tailssh: add a new sshSession type to clean up existing+future code
...
Updates #3802
Change-Id: I7054dca387f5e5aee1185937ecf41b77a5a07f1a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Co-authored-by: Maisem Ali <maisem@tailscale.com>
2022-03-14 12:01:49 -07:00
Maisem Ali
462e75666b
ssh/tailssh: start sending the server version
...
Updates #3802
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-03-12 19:40:51 -08:00
Maisem Ali
6d61b7906e
ssh/tailssh: handle terminal opcodes
...
Updates #3802 #4146
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-03-12 17:57:07 -08:00
Maisem Ali
da6ce27416
go.mod: move from github.com/gliderlabs/ssh to github.com/tailscale/ssh
...
Updates #4146
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-03-12 17:57:07 -08:00
Brad Fitzpatrick
012098ec32
ssh/tailssh: fix terminal corruption (temporary hack)
...
Maisem figured out the real problem but will take several commits
(e.g. tailscale/ssh#2 ) in different repos to get it fixed
properly. This is an interim hack.
Details of real fix:
https://github.com/tailscale/tailscale/issues/4146#issuecomment-1065952947
Updates #4146
Updates #3802
Change-Id: I7b7dc5713baa3e5de75b87b69e7179a6e7549b0b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-12 14:19:45 -08:00