ssh/tailssh: add envknobs to force override forwarding, sftp, pty

Updates tailscale/corp#15735

Change-Id: Ib1303406be925c3231ce7e0950a173ad12626492
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
pull/10197/head
Brad Fitzpatrick 1 year ago committed by Brad Fitzpatrick
parent ffabe5fe21
commit 53c4adc982

@ -465,6 +465,12 @@ func (ss *sshSession) launchProcess() error {
ss.logf("starting non-pty command: %+v", cmd.Args) ss.logf("starting non-pty command: %+v", cmd.Args)
return ss.startWithStdPipes() return ss.startWithStdPipes()
} }
if sshDisablePTY() {
ss.logf("pty support disabled by envknob")
return errors.New("pty support disabled by envknob")
}
ss.ptyReq = &ptyReq ss.ptyReq = &ptyReq
pty, tty, err := ss.startWithPTY() pty, tty, err := ss.startWithPTY()
if err != nil { if err != nil {

@ -49,7 +49,10 @@ import (
) )
var ( var (
sshVerboseLogging = envknob.RegisterBool("TS_DEBUG_SSH_VLOG") sshVerboseLogging = envknob.RegisterBool("TS_DEBUG_SSH_VLOG")
sshDisableSFTP = envknob.RegisterBool("TS_SSH_DISABLE_SFTP")
sshDisableForwarding = envknob.RegisterBool("TS_SSH_DISABLE_FORWARDING")
sshDisablePTY = envknob.RegisterBool("TS_SSH_DISABLE_PTY")
) )
const ( const (
@ -473,6 +476,9 @@ func (srv *server) newConn() (*conn, error) {
// to the specified host and port. // to the specified host and port.
// TODO(bradfitz/maisem): should we have more checks on host/port? // TODO(bradfitz/maisem): should we have more checks on host/port?
func (c *conn) mayReversePortForwardTo(ctx ssh.Context, destinationHost string, destinationPort uint32) bool { func (c *conn) mayReversePortForwardTo(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
if sshDisableForwarding() {
return false
}
if c.finalAction != nil && c.finalAction.AllowRemotePortForwarding { if c.finalAction != nil && c.finalAction.AllowRemotePortForwarding {
metricRemotePortForward.Add(1) metricRemotePortForward.Add(1)
return true return true
@ -484,6 +490,9 @@ func (c *conn) mayReversePortForwardTo(ctx ssh.Context, destinationHost string,
// to the specified host and port. // to the specified host and port.
// TODO(bradfitz/maisem): should we have more checks on host/port? // TODO(bradfitz/maisem): should we have more checks on host/port?
func (c *conn) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, destinationPort uint32) bool { func (c *conn) mayForwardLocalPortTo(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
if sshDisableForwarding() {
return false
}
if c.finalAction != nil && c.finalAction.AllowLocalPortForwarding { if c.finalAction != nil && c.finalAction.AllowLocalPortForwarding {
metricLocalPortForward.Add(1) metricLocalPortForward.Add(1)
return true return true
@ -713,6 +722,11 @@ func (c *conn) handleSessionPostSSHAuth(s ssh.Session) {
// Do this check after auth, but before starting the session. // Do this check after auth, but before starting the session.
switch s.Subsystem() { switch s.Subsystem() {
case "sftp": case "sftp":
if sshDisableSFTP() {
fmt.Fprintf(s.Stderr(), "sftp disabled\r\n")
s.Exit(1)
return
}
metricSFTP.Add(1) metricSFTP.Add(1)
case "": case "":
// Regular SSH session. // Regular SSH session.
@ -988,6 +1002,12 @@ func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *userMeta) erro
if !ssh.AgentRequested(ss) || !ss.conn.finalAction.AllowAgentForwarding { if !ssh.AgentRequested(ss) || !ss.conn.finalAction.AllowAgentForwarding {
return nil return nil
} }
if sshDisableForwarding() {
// TODO(bradfitz): or do we want to return an error here instead so the user
// gets an error if they ran with ssh -A? But for now we just silently
// don't work, like the condition above.
return nil
}
ss.logf("ssh: agent forwarding requested") ss.logf("ssh: agent forwarding requested")
ln, err := ssh.NewAgentListener() ln, err := ssh.NewAgentListener()
if err != nil { if err != nil {

Loading…
Cancel
Save