ipn/ipnlocal, feature/ssh: move SSH code out of LocalBackend to feature

This makes tsnet apps not depend on x/crypto/ssh and locks that in with a test.

It also paves the wave for tsnet apps to opt-in to SSH support via a
blank feature import in the future.

Updates #12614

Change-Id: Ica85628f89c8f015413b074f5001b82b27c953a9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

ipn/ipnlocal/c2n.go

@@ -44,9 +44,6 @@ func init() {
 		// several candidate nodes is reachable and actually alive.
 		RegisterC2N("/echo", handleC2NEcho)
 	}
-	if buildfeatures.HasSSH {
-		RegisterC2N("/ssh/usernames", handleC2NSSHUsernames)
-	}
 	if buildfeatures.HasLogTail {
 		RegisterC2N("POST /logtail/flush", handleC2NLogtailFlush)
 	}
@@ -290,26 +287,6 @@ func handleC2NPprof(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
 	c2nPprof(w, r, profile)
 }
 
-func handleC2NSSHUsernames(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
-	if !buildfeatures.HasSSH {
-		http.Error(w, feature.ErrUnavailable.Error(), http.StatusNotImplemented)
-		return
-	}
-	var req tailcfg.C2NSSHUsernamesRequest
-	if r.Method == "POST" {
-		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-			http.Error(w, err.Error(), http.StatusBadRequest)
-			return
-		}
-	}
-	res, err := b.getSSHUsernames(&req)
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-		return
-	}
-	writeJSON(w, res)
-}
-
 func handleC2NSockStats(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/plain")
 	if b.sockstatLogger == nil {

ipn/ipnlocal/local.go

@@ -5646,10 +5646,12 @@ func (b *LocalBackend) applyPrefsToHostinfoLocked(hi *tailcfg.Hostinfo, prefs ip
 		// TODO(bradfitz): this is called with b.mu held. Not ideal.
 		// If the filesystem gets wedged or something we could block for
 		// a long time. But probably fine.
-		var err error
-		sshHostKeys, err = b.getSSHHostKeyPublicStrings()
-		if err != nil {
-			b.logf("warning: unable to get SSH host keys, SSH will appear as disabled for this node: %v", err)
+		if f, ok := feature.HookGetSSHHostKeyPublicStrings.GetOk(); ok {
+			var err error
+			sshHostKeys, err = f(b.TailscaleVarRoot(), b.logf)
+			if err != nil {
+				b.logf("warning: unable to get SSH host keys, SSH will appear as disabled for this node: %v", err)
+			}
 		}
 	}
 	hi.SSH_HostKeys = sshHostKeys
@@ -6439,9 +6441,9 @@ func (b *LocalBackend) maybeSentHostinfoIfChangedLocked(prefs ipn.PrefsView) {
 	}
 }
 
-// operatorUserName returns the current pref's OperatorUser's name, or the
+// OperatorUserName returns the current pref's OperatorUser's name, or the
 // empty string if none.
-func (b *LocalBackend) operatorUserName() string {
+func (b *LocalBackend) OperatorUserName() string {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 	prefs := b.pm.CurrentPrefs()
@@ -6454,7 +6456,7 @@ func (b *LocalBackend) operatorUserName() string {
 // OperatorUserID returns the current pref's OperatorUser's ID (in
 // os/user.User.Uid string form), or the empty string if none.
 func (b *LocalBackend) OperatorUserID() string {
-	opUserName := b.operatorUserName()
+	opUserName := b.OperatorUserName()
 	if opUserName == "" {
 		return ""
 	}

ipn/ipnlocal/ssh.go

@@ -1,234 +0,0 @@
-// Copyright (c) Tailscale Inc & contributors
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build ((linux && !android) || (darwin && !ios) || freebsd || openbsd || plan9) && !ts_omit_ssh
-
-package ipnlocal
-
-import (
-	"bytes"
-	"crypto/ecdsa"
-	"crypto/ed25519"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"runtime"
-	"slices"
-	"strings"
-	"sync"
-
-	"go4.org/mem"
-	"golang.org/x/crypto/ssh"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/lineiter"
-	"tailscale.com/util/mak"
-)
-
-// keyTypes are the SSH key types that we either try to read from the
-// system's OpenSSH keys or try to generate for ourselves when not
-// running as root.
-var keyTypes = []string{"rsa", "ecdsa", "ed25519"}
-
-// getSSHUsernames discovers and returns the list of usernames that are
-// potential Tailscale SSH user targets.
-//
-// Invariant: must not be called with b.mu held.
-func (b *LocalBackend) getSSHUsernames(req *tailcfg.C2NSSHUsernamesRequest) (*tailcfg.C2NSSHUsernamesResponse, error) {
-	res := new(tailcfg.C2NSSHUsernamesResponse)
-	if !b.tailscaleSSHEnabled() {
-		return res, nil
-	}
-
-	max := 10
-	if req != nil && req.Max != 0 {
-		max = req.Max
-	}
-
-	add := func(u string) {
-		if req != nil && req.Exclude[u] {
-			return
-		}
-		switch u {
-		case "nobody", "daemon", "sync":
-			return
-		}
-		if slices.Contains(res.Usernames, u) {
-			return
-		}
-		if len(res.Usernames) > max {
-			// Enough for a hint.
-			return
-		}
-		res.Usernames = append(res.Usernames, u)
-	}
-
-	if opUser := b.operatorUserName(); opUser != "" {
-		add(opUser)
-	}
-
-	// Check popular usernames and see if they exist with a real shell.
-	switch runtime.GOOS {
-	case "darwin":
-		out, err := exec.Command("dscl", ".", "list", "/Users").Output()
-		if err != nil {
-			return nil, err
-		}
-		for line := range lineiter.Bytes(out) {
-			line = bytes.TrimSpace(line)
-			if len(line) == 0 || line[0] == '_' {
-				continue
-			}
-			add(string(line))
-		}
-	default:
-		for lr := range lineiter.File("/etc/passwd") {
-			line, err := lr.Value()
-			if err != nil {
-				break
-			}
-			line = bytes.TrimSpace(line)
-			if len(line) == 0 || line[0] == '#' || line[0] == '_' {
-				continue
-			}
-			if mem.HasSuffix(mem.B(line), mem.S("/nologin")) ||
-				mem.HasSuffix(mem.B(line), mem.S("/false")) {
-				continue
-			}
-			before, _, ok := bytes.Cut(line, []byte{':'})
-			if ok {
-				add(string(before))
-			}
-		}
-	}
-	return res, nil
-}
-
-func (b *LocalBackend) GetSSH_HostKeys() (keys []ssh.Signer, err error) {
-	var existing map[string]ssh.Signer
-	if os.Geteuid() == 0 {
-		existing = b.getSystemSSH_HostKeys()
-	}
-	return b.getTailscaleSSH_HostKeys(existing)
-}
-
-// getTailscaleSSH_HostKeys returns the three (rsa, ecdsa, ed25519) SSH host
-// keys, reusing the provided ones in existing if present in the map.
-func (b *LocalBackend) getTailscaleSSH_HostKeys(existing map[string]ssh.Signer) (keys []ssh.Signer, err error) {
-	var keyDir string // lazily initialized $TAILSCALE_VAR/ssh dir.
-	for _, typ := range keyTypes {
-		if s, ok := existing[typ]; ok {
-			keys = append(keys, s)
-			continue
-		}
-		if keyDir == "" {
-			root := b.TailscaleVarRoot()
-			if root == "" {
-				return nil, errors.New("no var root for ssh keys")
-			}
-			keyDir = filepath.Join(root, "ssh")
-			if err := os.MkdirAll(keyDir, 0700); err != nil {
-				return nil, err
-			}
-		}
-		hostKey, err := b.hostKeyFileOrCreate(keyDir, typ)
-		if err != nil {
-			return nil, fmt.Errorf("error creating SSH host key type %q in %q: %w", typ, keyDir, err)
-		}
-		signer, err := ssh.ParsePrivateKey(hostKey)
-		if err != nil {
-			return nil, fmt.Errorf("error parsing SSH host key type %q from %q: %w", typ, keyDir, err)
-		}
-		keys = append(keys, signer)
-	}
-	return keys, nil
-}
-
-var keyGenMu sync.Mutex
-
-func (b *LocalBackend) hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
-	keyGenMu.Lock()
-	defer keyGenMu.Unlock()
-
-	path := filepath.Join(keyDir, "ssh_host_"+typ+"_key")
-	v, err := os.ReadFile(path)
-	if err == nil {
-		return v, nil
-	}
-	if !os.IsNotExist(err) {
-		return nil, err
-	}
-	var priv any
-	switch typ {
-	default:
-		return nil, fmt.Errorf("unsupported key type %q", typ)
-	case "ed25519":
-		_, priv, err = ed25519.GenerateKey(rand.Reader)
-	case "ecdsa":
-		// curve is arbitrary. We pick whatever will at
-		// least pacify clients as the actual encryption
-		// doesn't matter: it's all over WireGuard anyway.
-		curve := elliptic.P256()
-		priv, err = ecdsa.GenerateKey(curve, rand.Reader)
-	case "rsa":
-		// keySize is arbitrary. We pick whatever will at
-		// least pacify clients as the actual encryption
-		// doesn't matter: it's all over WireGuard anyway.
-		const keySize = 2048
-		priv, err = rsa.GenerateKey(rand.Reader, keySize)
-	}
-	if err != nil {
-		return nil, err
-	}
-	mk, err := x509.MarshalPKCS8PrivateKey(priv)
-	if err != nil {
-		return nil, err
-	}
-	pemGen := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: mk})
-	err = os.WriteFile(path, pemGen, 0700)
-	return pemGen, err
-}
-
-func (b *LocalBackend) getSystemSSH_HostKeys() (ret map[string]ssh.Signer) {
-	for _, typ := range keyTypes {
-		filename := "/etc/ssh/ssh_host_" + typ + "_key"
-		hostKey, err := os.ReadFile(filename)
-		if err != nil || len(bytes.TrimSpace(hostKey)) == 0 {
-			continue
-		}
-		signer, err := ssh.ParsePrivateKey(hostKey)
-		if err != nil {
-			b.logf("warning: error reading host key %s: %v (generating one instead)", filename, err)
-			continue
-		}
-		mak.Set(&ret, typ, signer)
-	}
-	return ret
-}
-
-func (b *LocalBackend) getSSHHostKeyPublicStrings() ([]string, error) {
-	signers, err := b.GetSSH_HostKeys()
-	if err != nil {
-		return nil, err
-	}
-	var keyStrings []string
-	for _, signer := range signers {
-		keyStrings = append(keyStrings, strings.TrimSpace(string(ssh.MarshalAuthorizedKey(signer.PublicKey()))))
-	}
-	return keyStrings, nil
-}
-
-// tailscaleSSHEnabled reports whether Tailscale SSH is currently enabled based
-// on prefs. It returns false if there are no prefs set.
-func (b *LocalBackend) tailscaleSSHEnabled() bool {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	p := b.pm.CurrentPrefs()
-	return p.Valid() && p.RunSSH()
-}

ipn/ipnlocal/ssh_stub.go

@@ -1,20 +0,0 @@
-// Copyright (c) Tailscale Inc & contributors
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build ts_omit_ssh || ios || android || (!linux && !darwin && !freebsd && !openbsd && !plan9)
-
-package ipnlocal
-
-import (
-	"errors"
-
-	"tailscale.com/tailcfg"
-)
-
-func (b *LocalBackend) getSSHHostKeyPublicStrings() ([]string, error) {
-	return nil, nil
-}
-
-func (b *LocalBackend) getSSHUsernames(*tailcfg.C2NSSHUsernamesRequest) (*tailcfg.C2NSSHUsernamesResponse, error) {
-	return nil, errors.New("not implemented")
-}

ipn/ipnlocal/ssh_test.go

@@ -1,62 +0,0 @@
-// Copyright (c) Tailscale Inc & contributors
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux || (darwin && !ios)
-
-package ipnlocal
-
-import (
-	"encoding/json"
-	"reflect"
-	"testing"
-
-	"tailscale.com/health"
-	"tailscale.com/ipn/store/mem"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/eventbus/eventbustest"
-	"tailscale.com/util/must"
-)
-
-func TestSSHKeyGen(t *testing.T) {
-	dir := t.TempDir()
-	lb := &LocalBackend{varRoot: dir}
-	keys, err := lb.getTailscaleSSH_HostKeys(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	got := map[string]bool{}
-	for _, k := range keys {
-		got[k.PublicKey().Type()] = true
-	}
-	want := map[string]bool{
-		"ssh-rsa":             true,
-		"ecdsa-sha2-nistp256": true,
-		"ssh-ed25519":         true,
-	}
-	if !reflect.DeepEqual(got, want) {
-		t.Fatalf("keys = %v; want %v", got, want)
-	}
-
-	keys2, err := lb.getTailscaleSSH_HostKeys(nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !reflect.DeepEqual(keys, keys2) {
-		t.Errorf("got different keys on second call")
-	}
-}
-
-type fakeSSHServer struct {
-	SSHServer
-}
-
-func TestGetSSHUsernames(t *testing.T) {
-	pm := must.Get(newProfileManager(new(mem.Store), t.Logf, health.NewTracker(eventbustest.NewBus(t))))
-	b := &LocalBackend{pm: pm, store: pm.Store()}
-	b.sshServer = fakeSSHServer{}
-	res, err := b.getSSHUsernames(new(tailcfg.C2NSSHUsernamesRequest))
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Logf("Got: %s", must.Get(json.Marshal(res)))
-}