|
|
|
|
@ -41,7 +41,11 @@ func Handle(logf logger.Logf, lb *ipnlocal.LocalBackend, c net.Conn) error { |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
} |
|
|
|
|
srv := &server{lb, logf, tsd} |
|
|
|
|
srv := &server{ |
|
|
|
|
lb: lb, |
|
|
|
|
logf: logf, |
|
|
|
|
tailscaledPath: tsd, |
|
|
|
|
} |
|
|
|
|
ss, err := srv.newSSHServer() |
|
|
|
|
if err != nil { |
|
|
|
|
return err |
|
|
|
|
@ -55,7 +59,13 @@ func (srv *server) newSSHServer() (*ssh.Server, error) { |
|
|
|
|
Handler: srv.handleSSH, |
|
|
|
|
RequestHandlers: map[string]ssh.RequestHandler{}, |
|
|
|
|
SubsystemHandlers: map[string]ssh.SubsystemHandler{}, |
|
|
|
|
ChannelHandlers: map[string]ssh.ChannelHandler{}, |
|
|
|
|
// Note: the direct-tcpip channel handler and LocalPortForwardingCallback
|
|
|
|
|
// only adds support for forwarding ports from the local machine.
|
|
|
|
|
// TODO(maisem/bradfitz): add remote port forwarding support.
|
|
|
|
|
ChannelHandlers: map[string]ssh.ChannelHandler{ |
|
|
|
|
"direct-tcpip": ssh.DirectTCPIPHandler, |
|
|
|
|
}, |
|
|
|
|
LocalPortForwardingCallback: srv.portForward, |
|
|
|
|
} |
|
|
|
|
for k, v := range ssh.DefaultRequestHandlers { |
|
|
|
|
ss.RequestHandlers[k] = v |
|
|
|
|
@ -80,10 +90,21 @@ type server struct { |
|
|
|
|
lb *ipnlocal.LocalBackend |
|
|
|
|
logf logger.Logf |
|
|
|
|
tailscaledPath string |
|
|
|
|
|
|
|
|
|
// mu protects activeSessions.
|
|
|
|
|
mu sync.Mutex |
|
|
|
|
activeSessions map[string]bool |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
var debugPolicyFile = envknob.String("TS_DEBUG_SSH_POLICY_FILE") |
|
|
|
|
|
|
|
|
|
// portForward reports whether the ctx should be allowed to port forward
|
|
|
|
|
// to the specified host and port.
|
|
|
|
|
// TODO(bradfitz/maisem): should we have more checks on host/port?
|
|
|
|
|
func (srv *server) portForward(ctx ssh.Context, destinationHost string, destinationPort uint32) bool { |
|
|
|
|
return srv.isActiveSession(ctx) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// sshPolicy returns the SSHPolicy for current node.
|
|
|
|
|
// If there is no SSHPolicy in the netmap, it returns a debugPolicy
|
|
|
|
|
// if one is defined.
|
|
|
|
|
@ -231,6 +252,31 @@ func (srv *server) handleSessionTermination(ctx context.Context, s ssh.Session, |
|
|
|
|
}) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// isActiveSession reports whether the ssh.Context corresponds
|
|
|
|
|
// to an active session.
|
|
|
|
|
func (srv *server) isActiveSession(sctx ssh.Context) bool { |
|
|
|
|
srv.mu.Lock() |
|
|
|
|
defer srv.mu.Unlock() |
|
|
|
|
return srv.activeSessions[sctx.SessionID()] |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// startSession registers s as an active session.
|
|
|
|
|
func (srv *server) startSession(s ssh.Session) { |
|
|
|
|
srv.mu.Lock() |
|
|
|
|
defer srv.mu.Unlock() |
|
|
|
|
if srv.activeSessions == nil { |
|
|
|
|
srv.activeSessions = make(map[string]bool) |
|
|
|
|
} |
|
|
|
|
srv.activeSessions[s.Context().(ssh.Context).SessionID()] = true |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// endSession unregisters s from the list of active sessions.
|
|
|
|
|
func (srv *server) endSession(s ssh.Session) { |
|
|
|
|
srv.mu.Lock() |
|
|
|
|
defer srv.mu.Unlock() |
|
|
|
|
delete(srv.activeSessions, s.Context().(ssh.Context).SessionID()) |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// handleAcceptedSSH handles s once it's been accepted and determined
|
|
|
|
|
// that it should run as local system user lu.
|
|
|
|
|
//
|
|
|
|
|
@ -238,6 +284,8 @@ func (srv *server) handleSessionTermination(ctx context.Context, s ssh.Session, |
|
|
|
|
// is an SSHTerminationError, its SSHTerminationMessage is sent to the
|
|
|
|
|
// user.
|
|
|
|
|
func (srv *server) handleAcceptedSSH(ctx context.Context, s ssh.Session, ci *sshConnInfo, lu *user.User) { |
|
|
|
|
srv.startSession(s) |
|
|
|
|
defer srv.endSession(s) |
|
|
|
|
logf := srv.logf |
|
|
|
|
localUser := lu.Username |
|
|
|
|
|
|
|
|
|
|
Maisem Ali
4 years ago
committed by
Maisem Ali