From 3012a2e1ca0759f8755833bd695277d4f5cdac42 Mon Sep 17 00:00:00 2001
From: Maisem Ali <maisem@tailscale.com>
Date: Fri, 29 Apr 2022 15:57:55 -0700
Subject: [PATCH] ssh/tailssh,ipn/ipnlocal: terminate any active sessions on
 `up --ssh=false`

Currently the ssh session isn't terminated cleanly, instead the packets
are just are no longer routed to the in-proc SSH server. This makes it
so that clients get a disconnection when the `RunSSH` pref changes to
`false`.

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
---
 ipn/ipnlocal/local.go  | 4 ++++
 ssh/tailssh/tailssh.go | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index 324ca652b..5cc66b061 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -1912,6 +1912,10 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 		b.authReconfig()
 	}
 
+	if oldp.RunSSH && !newp.RunSSH && b.sshServer != nil {
+		go b.sshServer.OnPolicyChange()
+	}
+
 	b.send(ipn.Notify{Prefs: newp})
 }
 
diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go
index 9d71f1ef0..e284c89ce 100644
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -307,6 +307,9 @@ func (c *conn) havePubKeyPolicy(ci *sshConnInfo) bool {
 // if one is defined.
 func (c *conn) sshPolicy() (_ *tailcfg.SSHPolicy, ok bool) {
 	lb := c.srv.lb
+	if !lb.ShouldRunSSH() {
+		return nil, false
+	}
 	nm := lb.NetMap()
 	if nm == nil {
 		return nil, false