archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

tailcfg: add field to allow LocalPortForwarding in SSHAction

Browse Source 
Updates #3802, #4129

Signed-off-by: Maisem Ali <maisem@tailscale.com>
aaron/go-ole-ref
Maisem Ali 3 years ago committed by Maisem Ali
parent 98b45ef12c
commit 45a7f6689c
2 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File

21
ssh/tailssh/tailssh.go
Unescape Escape View File

@ -71,7 +71,7 @@ func (srv *server) newSSHServer() (*ssh.Server, error) {
"direct-tcpip": ssh.DirectTCPIPHandler, "direct-tcpip": ssh.DirectTCPIPHandler,
}, },
Version: "SSH-2.0-Tailscale", Version: "SSH-2.0-Tailscale",
LocalPortForwardingCallback: srv.portForward, LocalPortForwardingCallback: srv.mayForwardLocalPortTo,
} }
for k, v := range ssh.DefaultRequestHandlers { for k, v := range ssh.DefaultRequestHandlers {
ss.RequestHandlers[k] = v ss.RequestHandlers[k] = v
@ -105,11 +105,15 @@ type server struct {
var debugPolicyFile = envknob.String("TS_DEBUG_SSH_POLICY_FILE") var debugPolicyFile = envknob.String("TS_DEBUG_SSH_POLICY_FILE")
// portForward reports whether the ctx should be allowed to port forward // mayForwardLocalPortTo reports whether the ctx should be allowed to port forward
// to the specified host and port. // to the specified host and port.
// TODO(bradfitz/maisem): should we have more checks on host/port? // TODO(bradfitz/maisem): should we have more checks on host/port?
func (srv *server) portForward(ctx ssh.Context, destinationHost string, destinationPort uint32) bool { func (srv *server) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
return srv.isActiveSession(ctx) ss, ok := srv.getSessionForContext(ctx)
if !ok {
return false
}
return ss.action.AllowLocalPortForwarding
} }
// sshPolicy returns the SSHPolicy for current node. // sshPolicy returns the SSHPolicy for current node.
@ -343,13 +347,12 @@ func (ss *sshSession) killProcessOnContextDone() {
}) })
} }
// isActiveSession reports whether the ssh.Context corresponds // sessionAction returns the SSHAction associated with the session.
// to an active session. func (srv *server) getSessionForContext(sctx ssh.Context) (ss *sshSession, ok bool) {
func (srv *server) isActiveSession(sctx ssh.Context) bool {
srv.mu.Lock() srv.mu.Lock()
defer srv.mu.Unlock() defer srv.mu.Unlock()
_, ok := srv.activeSessionByH[sctx.SessionID()] ss, ok = srv.activeSessionByH[sctx.SessionID()]
return ok return
} }
// startSession registers ss as an active session. // startSession registers ss as an active session.

4
tailcfg/tailcfg.go
Unescape Escape View File

@ -1628,6 +1628,10 @@ type SSHAction struct {
// response, it should be re-fetched as long as the SSH // response, it should be re-fetched as long as the SSH
// session is open. // session is open.
HoldAndDelegate string `json:"holdAndDelegate,omitempty"` HoldAndDelegate string `json:"holdAndDelegate,omitempty"`
// AllowLocalPortForwarding, if true, allows accepted connections
// to use local port forwarding if requested.
AllowLocalPortForwarding bool `json:"allowLocalPortForwarding,omitempty"`
} }
// OverTLSPublicKeyResponse is the JSON response to /key?v=<n> // OverTLSPublicKeyResponse is the JSON response to /key?v=<n>

Write Preview
Loading…
Cancel
Save