ssh/tailssh: make checkStillValid also consider username changes

Currently if the policy changes and the session is logged in with local user "u1" and the new policy says they can only login with "u2" now, the user doesn't get kicked out because they had requested `rando@<ssh-host>` and the defaulting had made that go to `u1`. Signed-off-by: Maisem Ali <maisem@tailscale.com>
2 years ago · 91a187bf87
parent a04eebf59f
commit 91a187bf87
1 changed files with 2 additions and 2 deletions
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@ -524,8 +524,8 @@ func (srv *server) newSSHSession(s ssh.Session, ci *sshConnInfo, lu *user.User)
 // If not, it terminates the session.
 func (ss *sshSession) checkStillValid() {
 	ci := ss.connInfo
-	a, _, _, err := ss.srv.evaluatePolicy(ci.sshUser, ci.src, ci.dst, ci.pubKey)
-	if err == nil && (a.Accept || a.HoldAndDelegate != "") {
+	a, _, lu, err := ss.srv.evaluatePolicy(ci.sshUser, ci.src, ci.dst, ci.pubKey)
+	if err == nil && (a.Accept || a.HoldAndDelegate != "") && lu == ss.localUser.Username {
 		return
 	}
 	ss.logf("session no longer valid per new SSH policy; closing")