From 3d180c03764d4aebdc9804fe08e858a5233b7e26 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Tue, 29 Mar 2022 17:31:44 -0700 Subject: [PATCH] go.mod, ssh/tailssh, tempfork/gliderlabs: bump x/crypto/ssh fork for NoClientAuthCallback Prep for evaluating SSHPolicy earlier to decide whether certs are required, which requires knowing the target SSH user. Updates #3802 Change-Id: I2753ec8069e7f19c9121300d0fb0813c1c627c36 Signed-off-by: Brad Fitzpatrick --- go.mod | 4 ++-- go.sum | 4 ++-- ssh/tailssh/tailssh.go | 5 +++++ tempfork/gliderlabs/ssh/server.go | 6 ++++++ 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 2cf49038a..073c79d28 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,6 @@ require ( github.com/creack/pty v1.1.17 github.com/dave/jennifer v1.4.1 github.com/frankban/quicktest v1.14.0 - github.com/gliderlabs/ssh v0.3.3 github.com/go-ole/go-ole v1.2.6 github.com/godbus/dbus/v5 v5.0.6 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da @@ -41,6 +40,7 @@ require ( github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 + github.com/tailscale/golang-x-crypto v0.0.0-20220330002111-62119522bbcf github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 @@ -116,6 +116,7 @@ require ( github.com/fatih/structtag v1.2.0 // indirect github.com/fsnotify/fsnotify v1.5.1 // indirect github.com/fzipp/gocyclo v0.3.1 // indirect + github.com/gliderlabs/ssh v0.3.3 // indirect github.com/go-critic/go-critic v0.6.1 // indirect github.com/go-git/gcfg v1.5.0 // indirect github.com/go-git/go-billy/v5 v5.3.1 // indirect @@ -233,7 +234,6 @@ require ( github.com/stretchr/testify v1.7.0 // indirect github.com/subosito/gotenv v1.2.0 // indirect github.com/sylvia7788/contextcheck v1.0.4 // indirect - github.com/tailscale/golang-x-crypto v0.0.0-20220326011347-d690bbfb6b5f // indirect github.com/tdakkota/asciicheck v0.1.1 // indirect github.com/tetafro/godot v1.4.11 // indirect github.com/timakin/bodyclose v0.0.0-20210704033933-f49887972144 // indirect diff --git a/go.sum b/go.sum index 07bb4242f..dc9ed7513 100644 --- a/go.sum +++ b/go.sum @@ -1087,8 +1087,8 @@ github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HP github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8= github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns= github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ= -github.com/tailscale/golang-x-crypto v0.0.0-20220326011347-d690bbfb6b5f h1:SO0bJlfWstNuolA3zjWDcLq0mjLfIw6RWEImAPxCkSU= -github.com/tailscale/golang-x-crypto v0.0.0-20220326011347-d690bbfb6b5f/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU= +github.com/tailscale/golang-x-crypto v0.0.0-20220330002111-62119522bbcf h1:+DSoknr7gaiW2LlViX6+ko8TBdxTLkvOBbIWQtYyMaE= +github.com/tailscale/golang-x-crypto v0.0.0-20220330002111-62119522bbcf/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU= github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio= github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8= github.com/tailscale/hujson v0.0.0-20211105212140-3a0adc019d83 h1:f7nwzdAHTUUOJjHZuDvLz9CEAlUM228amCRvwzlPvsA= diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go index f679d23f4..3fcd87d09 100644 --- a/ssh/tailssh/tailssh.go +++ b/ssh/tailssh/tailssh.go @@ -29,6 +29,7 @@ import ( "sync" "time" + gossh "github.com/tailscale/golang-x-crypto/ssh" "inet.af/netaddr" "tailscale.com/envknob" "tailscale.com/ipn/ipnlocal" @@ -75,6 +76,10 @@ func (srv *server) newSSHServer() (*ssh.Server, error) { }, Version: "SSH-2.0-Tailscale", LocalPortForwardingCallback: srv.mayForwardLocalPortTo, + NoClientAuthCallback: func(m gossh.ConnMetadata) (*gossh.Permissions, error) { + srv.logf("SSH connection from %v for %q; client ver %q", m.RemoteAddr(), m.User(), m.ClientVersion()) + return nil, nil + }, } for k, v := range ssh.DefaultRequestHandlers { ss.RequestHandlers[k] = v diff --git a/tempfork/gliderlabs/ssh/server.go b/tempfork/gliderlabs/ssh/server.go index 934139e2c..c9372c43c 100644 --- a/tempfork/gliderlabs/ssh/server.go +++ b/tempfork/gliderlabs/ssh/server.go @@ -38,6 +38,8 @@ type Server struct { HostSigners []Signer // private keys for the host key, must have at least one Version string // server version to be sent before the initial handshake + NoClientAuthCallback func(gossh.ConnMetadata) (*gossh.Permissions, error) + KeyboardInteractiveHandler KeyboardInteractiveHandler // keyboard-interactive authentication handler PasswordHandler PasswordHandler // password authentication handler PublicKeyHandler PublicKeyHandler // public key authentication handler @@ -129,6 +131,10 @@ func (srv *Server) config(ctx Context) *gossh.ServerConfig { if srv.PasswordHandler == nil && srv.PublicKeyHandler == nil && srv.KeyboardInteractiveHandler == nil { config.NoClientAuth = true } + if srv.NoClientAuthCallback != nil { + config.NoClientAuth = true + config.NoClientAuthCallback = srv.NoClientAuthCallback + } if srv.Version != "" { config.ServerVersion = "SSH-2.0-" + srv.Version }