From ecc451501c70c4739e29ad177d883e1533ab4f34 Mon Sep 17 00:00:00 2001 From: Percy Wegmann Date: Tue, 6 Aug 2024 08:00:05 -0500 Subject: [PATCH] ssh/tailssh: add ability to force V2 behavior using new feature flag Introduces ssh-behavior-v2 node attribute to override ssh-behavior-v1. Updates #11854 Signed-off-by: Percy Wegmann --- ssh/tailssh/incubator.go | 3 ++- tailcfg/tailcfg.go | 7 +++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ssh/tailssh/incubator.go b/ssh/tailssh/incubator.go index 2c8e1ed04..37f2a5434 100644 --- a/ssh/tailssh/incubator.go +++ b/ssh/tailssh/incubator.go @@ -129,7 +129,8 @@ func (ss *sshSession) newIncubatorCommand(logf logger.Logf) (cmd *exec.Cmd, err incubatorArgs = append(incubatorArgs, "--is-selinux-enforcing") } - forceV1Behavior := ss.conn.srv.lb.NetMap().HasCap(tailcfg.NodeAttrSSHBehaviorV1) + nm := ss.conn.srv.lb.NetMap() + forceV1Behavior := nm.HasCap(tailcfg.NodeAttrSSHBehaviorV1) && !nm.HasCap(tailcfg.NodeAttrSSHBehaviorV2) if forceV1Behavior { incubatorArgs = append(incubatorArgs, "--force-v1-behavior") } diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go index 90be4bb83..9799abb43 100644 --- a/tailcfg/tailcfg.go +++ b/tailcfg/tailcfg.go @@ -2307,6 +2307,13 @@ const ( // Added 2024-05-29 in Tailscale version 1.68. NodeAttrSSHBehaviorV1 NodeCapability = "ssh-behavior-v1" + // NodeAttrSSHBehaviorV2 forces SSH to use the V2 behavior (use su, run SFTP in child process). + // This overrides NodeAttrSSHBehaviorV1 if set. + // See forceV1Behavior in ssh/tailssh/incubator.go for distinction between + // V1 and V2 behavior. + // Added 2024-08-06 in Tailscale version 1.72. + NodeAttrSSHBehaviorV2 NodeCapability = "ssh-behavior-v2" + // NodeAttrDisableSplitDNSWhenNoCustomResolvers indicates that the node's // DNS manager should not adopt a split DNS configuration even though the // Config of the resolver only contains routes that do not specify custom