ipn/ipnlocal, feature/ssh: move SSH code out of LocalBackend to feature

This makes tsnet apps not depend on x/crypto/ssh and locks that in with a test. It also paves the wave for tsnet apps to opt-in to SSH support via a blank feature import in the future. Updates #12614 Change-Id: Ica85628f89c8f015413b074f5001b82b27c953a9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2026-03-10 21:33:12 +00:00
parent 99e3e9af51
commit f905871fb1
23 changed files with 371 additions and 423 deletions
@@ -396,8 +396,7 @@ tailscale.com/tsnet dependencies: (generated by github.com/tailscale/depaware)
        golang.org/x/crypto/argon2                                   from tailscale.com/tka
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/argon2+
        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
-  LD    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
-        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305+
+        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/chacha20poly1305                         from github.com/tailscale/wireguard-go/device+
        golang.org/x/crypto/curve25519                               from github.com/tailscale/wireguard-go/device+
        golang.org/x/crypto/hkdf                                     from tailscale.com/control/controlbase
@@ -407,8 +406,6 @@ tailscale.com/tsnet dependencies: (generated by github.com/tailscale/depaware)
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ipn/ipnlocal
-  LD    golang.org/x/crypto/ssh/internal/bcrypt_pbkdf                from golang.org/x/crypto/ssh
        golang.org/x/exp/constraints                                 from tailscale.com/tsweb/varz+
        golang.org/x/exp/maps                                        from tailscale.com/ipn/store/mem+
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
@@ -469,7 +466,7 @@ tailscale.com/tsnet dependencies: (generated by github.com/tailscale/depaware)
        crypto/aes                                                   from crypto/tls+
        crypto/cipher                                                from crypto/aes+
        crypto/des                                                   from crypto/tls+
-        crypto/dsa                                                   from crypto/x509+
+        crypto/dsa                                                   from crypto/x509
        crypto/ecdh                                                  from crypto/ecdsa+
        crypto/ecdsa                                                 from crypto/tls+
        crypto/ed25519                                               from crypto/tls+
@@ -518,9 +515,9 @@ tailscale.com/tsnet dependencies: (generated by github.com/tailscale/depaware)
        crypto/internal/randutil                                     from crypto/internal/rand
        crypto/internal/sysrand                                      from crypto/internal/fips140/drbg
        crypto/md5                                                   from crypto/tls+
-        crypto/mlkem                                                 from golang.org/x/crypto/ssh+
+        crypto/mlkem                                                 from crypto/hpke+
        crypto/rand                                                  from crypto/ed25519+
-        crypto/rc4                                                   from crypto/tls+
+        crypto/rc4                                                   from crypto/tls
        crypto/rsa                                                   from crypto/tls+
        crypto/sha1                                                  from crypto/tls+
        crypto/sha256                                                from crypto/tls+
@@ -2631,6 +2631,10 @@ func TestDeps(t *testing.T) {
 	deptest.DepChecker{
 		GOOS:   "linux",
 		GOARCH: "amd64",
+		BadDeps: map[string]string{
+			"golang.org/x/crypto/ssh":                       "tsnet should not depend on SSH",
+			"golang.org/x/crypto/ssh/internal/bcrypt_pbkdf": "tsnet should not depend on SSH",
+		},
 		OnDep: func(dep string) {
 			if strings.Contains(dep, "portlist") {
 				t.Errorf("unexpected dep: %q", dep)