archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ssh/tailssh: support placeholders in SSHAction.HoldAndDelegate URL

Browse Source 
Updates #3802

Change-Id: I60f9827409d14fd4f4824d102ba11db49bf0d365
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
pull/4259/head
Brad Fitzpatrick 3 years ago committed by Brad Fitzpatrick
parent 257d75beb1
commit 091ea4a4a5
2 changed files with 64 additions and 28 deletions
Show Stats Download Patch File Download Diff File

89
ssh/tailssh/tailssh.go
Unescape Escape View File

@ -214,48 +214,76 @@ func (srv *server) handleSSH(s ssh.Session) {
return return
} }
lu, err := user.Lookup(localUser)
if err != nil {
logf("ssh: user Lookup %q: %v", localUser, err)
s.Exit(1)
return
}
ss := srv.newSSHSession(s, ci, lu)
action, err = ss.resolveTerminalAction(action)
if err != nil {
logf("ssh: resolveTerminalAction: %v", err)
io.WriteString(s.Stderr(), "Access denied: failed to resolve SSHAction.\n")
s.Exit(1)
return
}
if action.Reject || !action.Accept {
logf("ssh: access denied for %q from %v", ci.uprof.LoginName, ci.src.IP())
s.Exit(1)
return
}
ss.action = action
ss.run()
}
// resolveTerminalAction either returns action (if it's Accept or Reject) or else
// loops, fetching new SSHActions from the control plane.
//
// Any action with a Message in the chain will be printed to ss.
//
// The returned SSHAction will be either Reject or Accept.
func (ss *sshSession) resolveTerminalAction(action *tailcfg.SSHAction) (*tailcfg.SSHAction, error) {
// Loop processing/fetching Actions until one reaches a // Loop processing/fetching Actions until one reaches a
// terminal state (Accept, Reject, or invalid Action), or // terminal state (Accept, Reject, or invalid Action), or
// until fetchSSHAction times out due to the context being // until fetchSSHAction times out due to the context being
// done (client disconnect) or its 30 minute timeout passes. // done (client disconnect) or its 30 minute timeout passes.
// (Which is a long time for somebody to see login // (Which is a long time for somebody to see login
// instructions and go to a URL to do something.) // instructions and go to a URL to do something.)
ProcessAction:
for { for {
if action.Message != "" { if action.Message != "" {
io.WriteString(s.Stderr(), strings.Replace(action.Message, "\n", "\r\n", -1)) io.WriteString(ss.Stderr(), strings.Replace(action.Message, "\n", "\r\n", -1))
} }
if action.Reject { if action.Accept || action.Reject {
logf("ssh: access denied for %q from %v", ci.uprof.LoginName, ci.src.IP()) return action, nil
s.Exit(1)
return
}
if action.Accept {
break ProcessAction
} }
url := action.HoldAndDelegate url := action.HoldAndDelegate
if url == "" { if url == "" {
logf("ssh: access denied; SSHAction has neither Reject, Accept, or next step URL") return nil, errors.New("reached Action that lacked Accept, Reject, and HoldAndDelegate")
s.Exit(1)
return
} }
action, err = srv.fetchSSHAction(s.Context(), url) url = ss.expandDelegateURL(url)
var err error
action, err = ss.srv.fetchSSHAction(ss.Context(), url)
if err != nil { if err != nil {
logf("ssh: fetching SSAction from %s: %v", url, err) return nil, fmt.Errorf("fetching SSHAction from %s: %w", url, err)
s.Exit(1)
return
} }
} }
}
lu, err := user.Lookup(localUser) func (ss *sshSession) expandDelegateURL(url string) string {
if err != nil { nm := ss.srv.lb.NetMap()
logf("ssh: user Lookup %q: %v", localUser, err) var dstNodeID string
s.Exit(1) if nm != nil {
return dstNodeID = fmt.Sprint(int64(nm.SelfNode.ID))
} }
return strings.NewReplacer(
ss := srv.newSSHSession(s, ci, lu, action) "$SRC_NODE_ID", fmt.Sprint(int64(ss.connInfo.node.ID)),
ss.run() "$DST_NODE_ID", dstNodeID,
"$SSH_USER", ss.connInfo.sshUser,
"$LOCAL_USER", ss.localUser.Username,
).Replace(url)
} }
// sshSession is an accepted Tailscale SSH session. // sshSession is an accepted Tailscale SSH session.
@ -284,7 +312,7 @@ type sshSession struct {
exitOnce sync.Once exitOnce sync.Once
} }
func (srv *server) newSSHSession(s ssh.Session, ci *sshConnInfo, lu *user.User, action *tailcfg.SSHAction) *sshSession { func (srv *server) newSSHSession(s ssh.Session, ci *sshConnInfo, lu *user.User) *sshSession {
sharedID := fmt.Sprintf("%s-%02x", ci.now.UTC().Format("20060102T150405"), randBytes(5)) sharedID := fmt.Sprintf("%s-%02x", ci.now.UTC().Format("20060102T150405"), randBytes(5))
return &sshSession{ return &sshSession{
Session: s, Session: s,
@ -292,7 +320,6 @@ func (srv *server) newSSHSession(s ssh.Session, ci *sshConnInfo, lu *user.User,
sharedID: sharedID, sharedID: sharedID,
ctx: newSSHContext(), ctx: newSSHContext(),
srv: srv, srv: srv,
action: action,
localUser: lu, localUser: lu,
connInfo: ci, connInfo: ci,
logf: logger.WithPrefix(srv.logf, "ssh-session("+sharedID+"): "), logf: logger.WithPrefix(srv.logf, "ssh-session("+sharedID+"): "),
@ -317,12 +344,20 @@ func (srv *server) fetchSSHAction(ctx context.Context, url string) (*tailcfg.SSH
continue continue
} }
if res.StatusCode != 200 { if res.StatusCode != 200 {
body, _ := io.ReadAll(res.Body)
res.Body.Close() res.Body.Close()
if len(body) > 1<<10 {
body = body[:1<<10]
}
srv.logf("fetch of %v: %s, %s", url, res.Status, body)
bo.BackOff(ctx, fmt.Errorf("unexpected status: %v", res.Status)) bo.BackOff(ctx, fmt.Errorf("unexpected status: %v", res.Status))
continue continue
} }
a := new(tailcfg.SSHAction) a := new(tailcfg.SSHAction)
if err := json.NewDecoder(res.Body).Decode(a); err != nil { err = json.NewDecoder(res.Body).Decode(a)
res.Body.Close()
if err != nil {
srv.logf("invalid next SSHAction JSON from %v: %v", url, err)
bo.BackOff(ctx, err) bo.BackOff(ctx, err)
continue continue
} }

3
ssh/tailssh/tailssh_test.go
Unescape Escape View File

@ -224,7 +224,8 @@ func TestSSH(t *testing.T) {
} }
ss.Handler = func(s ssh.Session) { ss.Handler = func(s ssh.Session) {
ss := srv.newSSHSession(s, ci, u, &tailcfg.SSHAction{Accept: true}) ss := srv.newSSHSession(s, ci, u)
ss.action = &tailcfg.SSHAction{Accept: true}
ss.run() ss.run()
} }

Write Preview
Loading…
Cancel
Save