From 3b1f99ded1d1162b07122ba3ae04201f0493cfe8 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Tue, 28 Jun 2022 15:16:48 -0700
Subject: [PATCH] ssh/tailssh: fix Tailscale SSH to Linux Arch machines

See https://github.com/tailscale/tailscale/issues/4924#issuecomment-1168201823

Arch uses a different login binary that makes the -h flag set the PAM
service to "remote". So if they don't have that configured, don't pass -h.

Thanks to @eddiezane for debugging!

Updates #4924

Change-Id: I8d33e0afb2dfb99517bcea2f9d5d0c6247519b3c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 ssh/tailssh/incubator_linux.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ssh/tailssh/incubator_linux.go b/ssh/tailssh/incubator_linux.go
index 38a644fbd..4c8d03bd5 100644
--- a/ssh/tailssh/incubator_linux.go
+++ b/ssh/tailssh/incubator_linux.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/godbus/dbus/v5"
 	"tailscale.com/types/logger"
+	"tailscale.com/version/distro"
 )
 
 func init() {
@@ -174,7 +175,20 @@ func maybeStartLoginSessionLinux(logf logger.Logf, ia incubatorArgs) (func() err
 	return nil, nil
 }
 
+func fileExists(path string) bool {
+	_, err := os.Stat(path)
+	return err == nil
+}
+
 func (ia *incubatorArgs) loginArgs() []string {
+	if distro.Get() == distro.Arch && !fileExists("/etc/pam.d/remote") {
+		// See https://github.com/tailscale/tailscale/issues/4924
+		//
+		// Arch uses a different login binary that makes the -h flag set the PAM
+		// service to "remote". So if they don't have that configured, don't
+		// pass -h.
+		return []string{ia.loginCmdPath, "-f", ia.localUser, "-p"}
+	}
 	return []string{ia.loginCmdPath, "-f", ia.localUser, "-h", ia.remoteIP, "-p"}
 }