mirror of https://github.com/tailscale/tailscale/
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
445 lines
11 KiB
Go
445 lines
11 KiB
Go
// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
//go:build linux || (darwin && !ios)
|
|
// +build linux darwin,!ios
|
|
|
|
// Package tailssh is an SSH server integrated into Tailscale.
|
|
package tailssh
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"os"
|
|
"os/exec"
|
|
"os/user"
|
|
"runtime"
|
|
"strings"
|
|
"syscall"
|
|
"time"
|
|
"unsafe"
|
|
|
|
"github.com/creack/pty"
|
|
"github.com/gliderlabs/ssh"
|
|
"inet.af/netaddr"
|
|
"tailscale.com/envknob"
|
|
"tailscale.com/ipn/ipnlocal"
|
|
"tailscale.com/net/tsaddr"
|
|
"tailscale.com/tailcfg"
|
|
"tailscale.com/types/logger"
|
|
)
|
|
|
|
// TODO(bradfitz): this is all very temporary as code is temporarily
|
|
// being moved around; it will be restructured and documented in
|
|
// following commits.
|
|
|
|
// Handle handles an SSH connection from c.
|
|
func Handle(logf logger.Logf, lb *ipnlocal.LocalBackend, c net.Conn) error {
|
|
sshd := &server{lb, logf}
|
|
srv := &ssh.Server{
|
|
Handler: sshd.handleSSH,
|
|
RequestHandlers: map[string]ssh.RequestHandler{},
|
|
SubsystemHandlers: map[string]ssh.SubsystemHandler{},
|
|
ChannelHandlers: map[string]ssh.ChannelHandler{},
|
|
}
|
|
for k, v := range ssh.DefaultRequestHandlers {
|
|
srv.RequestHandlers[k] = v
|
|
}
|
|
for k, v := range ssh.DefaultChannelHandlers {
|
|
srv.ChannelHandlers[k] = v
|
|
}
|
|
for k, v := range ssh.DefaultSubsystemHandlers {
|
|
srv.SubsystemHandlers[k] = v
|
|
}
|
|
keys, err := lb.GetSSH_HostKeys()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, signer := range keys {
|
|
srv.AddHostKey(signer)
|
|
}
|
|
|
|
srv.HandleConn(c)
|
|
return nil
|
|
}
|
|
|
|
type server struct {
|
|
lb *ipnlocal.LocalBackend
|
|
logf logger.Logf
|
|
}
|
|
|
|
var debugPolicyFile = envknob.String("TS_DEBUG_SSH_POLICY_FILE")
|
|
|
|
func (srv *server) sshPolicy() (_ *tailcfg.SSHPolicy, ok bool) {
|
|
lb := srv.lb
|
|
nm := lb.NetMap()
|
|
if nm == nil {
|
|
return nil, false
|
|
}
|
|
if pol := nm.SSHPolicy; pol != nil {
|
|
return pol, true
|
|
}
|
|
if debugPolicyFile != "" {
|
|
f, err := os.ReadFile(debugPolicyFile)
|
|
if err != nil {
|
|
srv.logf("error reading debug SSH policy file: %v", err)
|
|
return nil, false
|
|
}
|
|
p := new(tailcfg.SSHPolicy)
|
|
if err := json.Unmarshal(f, p); err != nil {
|
|
srv.logf("invalid JSON in %v: %v", debugPolicyFile, err)
|
|
return nil, false
|
|
}
|
|
return p, true
|
|
}
|
|
return nil, false
|
|
}
|
|
|
|
func (srv *server) handleSSH(s ssh.Session) {
|
|
lb := srv.lb
|
|
logf := srv.logf
|
|
sshUser := s.User()
|
|
addr := s.RemoteAddr()
|
|
logf("Handling SSH from %v for user %v", addr, sshUser)
|
|
ta, ok := addr.(*net.TCPAddr)
|
|
if !ok {
|
|
logf("tsshd: rejecting non-TCP addr %T %v", addr, addr)
|
|
s.Exit(1)
|
|
return
|
|
}
|
|
tanetaddr, ok := netaddr.FromStdIP(ta.IP)
|
|
if !ok {
|
|
logf("tsshd: rejecting unparseable addr %v", ta.IP)
|
|
s.Exit(1)
|
|
return
|
|
}
|
|
if !tsaddr.IsTailscaleIP(tanetaddr) {
|
|
logf("tsshd: rejecting non-Tailscale addr %v", ta.IP)
|
|
s.Exit(1)
|
|
return
|
|
}
|
|
|
|
pol, ok := srv.sshPolicy()
|
|
if !ok {
|
|
logf("tsshd: rejecting connection; no SSH policy")
|
|
s.Exit(1)
|
|
return
|
|
}
|
|
|
|
srcIPP := netaddr.IPPortFrom(tanetaddr, uint16(ta.Port))
|
|
node, uprof, ok := lb.WhoIs(srcIPP)
|
|
if !ok {
|
|
fmt.Fprintf(s, "Hello, %v. I don't know who you are.\n", srcIPP)
|
|
s.Exit(1)
|
|
return
|
|
}
|
|
|
|
srcIP := srcIPP.IP()
|
|
ci := &sshConnInfo{
|
|
now: time.Now(),
|
|
sshUser: sshUser,
|
|
srcIP: srcIP,
|
|
node: node,
|
|
uprof: &uprof,
|
|
}
|
|
action, localUser, ok := evalSSHPolicy(pol, ci)
|
|
if ok && action.Message != "" {
|
|
io.WriteString(s.Stderr(), strings.Replace(action.Message, "\n", "\r\n", -1))
|
|
}
|
|
if !ok || action.Reject {
|
|
logf("ssh: access denied for %q from %v", uprof.LoginName, srcIP)
|
|
s.Exit(1)
|
|
return
|
|
}
|
|
if !action.Accept || action.HoldAndDelegate != "" {
|
|
fmt.Fprintf(s, "TODO: other SSHAction outcomes")
|
|
s.Exit(1)
|
|
}
|
|
lu, err := user.Lookup(localUser)
|
|
if err != nil {
|
|
logf("ssh: user Lookup %q: %v", localUser, err)
|
|
s.Exit(1)
|
|
}
|
|
|
|
var ctx context.Context = context.Background()
|
|
if action.SesssionDuration != 0 {
|
|
sctx := newSSHContext()
|
|
ctx = sctx
|
|
t := time.AfterFunc(action.SesssionDuration, func() {
|
|
sctx.CloseWithError(userVisibleError{
|
|
fmt.Sprintf("Session timeout of %v elapsed.", action.SesssionDuration),
|
|
context.DeadlineExceeded,
|
|
})
|
|
})
|
|
defer t.Stop()
|
|
}
|
|
srv.handleAcceptedSSH(ctx, s, ci, lu)
|
|
}
|
|
|
|
// handleAcceptedSSH handles s once it's been accepted and determined
|
|
// that it should run as local system user lu.
|
|
//
|
|
// When ctx is done, the session is forcefully terminated. If its Err
|
|
// is an SSHTerminationError, its SSHTerminationMessage is sent to the
|
|
// user.
|
|
func (srv *server) handleAcceptedSSH(ctx context.Context, s ssh.Session, ci *sshConnInfo, lu *user.User) {
|
|
logf := srv.logf
|
|
localUser := lu.Username
|
|
|
|
var err error
|
|
ptyReq, winCh, isPty := s.Pty()
|
|
logf("ssh: connection from %v %v to %v@ => %q. command = %q, env = %q", ci.srcIP, ci.uprof.LoginName, ci.sshUser, localUser, s.Command(), s.Environ())
|
|
var cmd *exec.Cmd
|
|
if euid := os.Geteuid(); euid != 0 {
|
|
if lu.Uid != fmt.Sprint(euid) {
|
|
logf("ssh: can't switch to user %q from process euid %v", localUser, euid)
|
|
fmt.Fprintf(s, "can't switch user\n")
|
|
s.Exit(1)
|
|
return
|
|
}
|
|
cmd = exec.Command(loginShell(lu.Uid))
|
|
if rawCmd := s.RawCommand(); rawCmd != "" {
|
|
cmd.Args = append(cmd.Args, "-c", rawCmd)
|
|
}
|
|
} else {
|
|
if rawCmd := s.RawCommand(); rawCmd != "" {
|
|
cmd = exec.Command("/usr/bin/env", "su", "-c", rawCmd, localUser)
|
|
// TODO: and Env for PATH, SSH_CONNECTION, SSH_CLIENT, XDG_SESSION_TYPE, XDG_*, etc
|
|
} else {
|
|
cmd = exec.Command("/usr/bin/env", "su", "-", localUser)
|
|
}
|
|
}
|
|
cmd.Dir = lu.HomeDir
|
|
cmd.Env = append(cmd.Env, envForUser(lu)...)
|
|
if ptyReq.Term != "" {
|
|
cmd.Env = append(cmd.Env, fmt.Sprintf("TERM=%s", ptyReq.Term))
|
|
}
|
|
// TODO(bradfitz,maisem): also blend in user's s.Environ()
|
|
logf("Running: %q", cmd.Args)
|
|
var toCmd io.WriteCloser
|
|
var fromCmd io.ReadCloser
|
|
if isPty {
|
|
f, err := pty.StartWithSize(cmd, &pty.Winsize{
|
|
Rows: uint16(ptyReq.Window.Width),
|
|
Cols: uint16(ptyReq.Window.Height),
|
|
})
|
|
if err != nil {
|
|
logf("running shell: %v", err)
|
|
s.Exit(1)
|
|
return
|
|
}
|
|
defer f.Close()
|
|
toCmd = f
|
|
fromCmd = f
|
|
go func() {
|
|
for win := range winCh {
|
|
setWinsize(f, win.Width, win.Height)
|
|
}
|
|
}()
|
|
} else {
|
|
stdin, stdout, stderr, err := startWithStdPipes(cmd)
|
|
if err != nil {
|
|
logf("ssh: start error: %f", err)
|
|
s.Exit(1)
|
|
return
|
|
}
|
|
fromCmd, toCmd = stdout, stdin
|
|
go func() { io.Copy(s.Stderr(), stderr) }()
|
|
}
|
|
|
|
if ctx.Done() != nil {
|
|
done := make(chan struct{})
|
|
defer close(done)
|
|
go func() {
|
|
select {
|
|
case <-done:
|
|
case <-ctx.Done():
|
|
err := ctx.Err()
|
|
if serr, ok := err.(SSHTerminationError); ok {
|
|
msg := serr.SSHTerminationMessage()
|
|
if msg != "" {
|
|
io.WriteString(s.Stderr(), "\r\n\r\n"+msg+"\r\n\r\n")
|
|
}
|
|
}
|
|
logf("terminating SSH session from %v: %v", ci.srcIP, err)
|
|
cmd.Process.Kill()
|
|
}
|
|
}()
|
|
}
|
|
|
|
go func() {
|
|
_, err := io.Copy(toCmd, s) // stdin
|
|
logf("ssh: stdin copy: %v", err)
|
|
toCmd.Close()
|
|
}()
|
|
go func() {
|
|
_, err := io.Copy(s, fromCmd) // stdout
|
|
logf("ssh: stdout copy: %v", err)
|
|
}()
|
|
|
|
err = cmd.Wait()
|
|
if err == nil {
|
|
logf("ssh: Wait: ok")
|
|
s.Exit(0)
|
|
return
|
|
}
|
|
if ee, ok := err.(*exec.ExitError); ok {
|
|
code := ee.ProcessState.ExitCode()
|
|
logf("ssh: Wait: code=%v", code)
|
|
s.Exit(code)
|
|
return
|
|
}
|
|
|
|
logf("ssh: Wait: %v", err)
|
|
s.Exit(1)
|
|
return
|
|
}
|
|
|
|
func setWinsize(f *os.File, w, h int) {
|
|
syscall.Syscall(syscall.SYS_IOCTL, f.Fd(), uintptr(syscall.TIOCSWINSZ),
|
|
uintptr(unsafe.Pointer(&struct{ h, w, x, y uint16 }{uint16(h), uint16(w), 0, 0})))
|
|
}
|
|
|
|
type sshConnInfo struct {
|
|
// now is the time to consider the present moment for the
|
|
// purposes of rule evaluation.
|
|
now time.Time
|
|
|
|
// sshUser is the requested local SSH username ("root", "alice", etc).
|
|
sshUser string
|
|
|
|
// srcIP is the Tailscale IP that the connection came from.
|
|
srcIP netaddr.IP
|
|
|
|
// node is srcIP's node.
|
|
node *tailcfg.Node
|
|
|
|
// uprof is node's UserProfile.
|
|
uprof *tailcfg.UserProfile
|
|
}
|
|
|
|
func evalSSHPolicy(pol *tailcfg.SSHPolicy, ci *sshConnInfo) (a *tailcfg.SSHAction, localUser string, ok bool) {
|
|
for _, r := range pol.Rules {
|
|
if a, localUser, err := matchRule(r, ci); err == nil {
|
|
return a, localUser, true
|
|
}
|
|
}
|
|
return nil, "", false
|
|
}
|
|
|
|
// internal errors for testing; they don't escape to callers or logs.
|
|
var (
|
|
errNilRule = errors.New("nil rule")
|
|
errNilAction = errors.New("nil action")
|
|
errRuleExpired = errors.New("rule expired")
|
|
errPrincipalMatch = errors.New("principal didn't match")
|
|
errUserMatch = errors.New("user didn't match")
|
|
)
|
|
|
|
func matchRule(r *tailcfg.SSHRule, ci *sshConnInfo) (a *tailcfg.SSHAction, localUser string, err error) {
|
|
if r == nil {
|
|
return nil, "", errNilRule
|
|
}
|
|
if r.Action == nil {
|
|
return nil, "", errNilAction
|
|
}
|
|
if r.RuleExpires != nil && ci.now.After(*r.RuleExpires) {
|
|
return nil, "", errRuleExpired
|
|
}
|
|
if !matchesPrincipal(r.Principals, ci) {
|
|
return nil, "", errPrincipalMatch
|
|
}
|
|
if !r.Action.Reject || r.SSHUsers != nil {
|
|
localUser = mapLocalUser(r.SSHUsers, ci.sshUser)
|
|
if localUser == "" {
|
|
return nil, "", errUserMatch
|
|
}
|
|
}
|
|
return r.Action, localUser, nil
|
|
}
|
|
|
|
func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser string) {
|
|
if v, ok := ruleSSHUsers[reqSSHUser]; ok {
|
|
return v
|
|
}
|
|
return ruleSSHUsers["*"]
|
|
}
|
|
|
|
func matchesPrincipal(ps []*tailcfg.SSHPrincipal, ci *sshConnInfo) bool {
|
|
for _, p := range ps {
|
|
if p == nil {
|
|
continue
|
|
}
|
|
if p.Any {
|
|
return true
|
|
}
|
|
if !p.Node.IsZero() && ci.node != nil && p.Node == ci.node.StableID {
|
|
return true
|
|
}
|
|
if p.NodeIP != "" {
|
|
if ip, _ := netaddr.ParseIP(p.NodeIP); ip == ci.srcIP {
|
|
return true
|
|
}
|
|
}
|
|
if p.UserLogin != "" && ci.uprof != nil && ci.uprof.LoginName == p.UserLogin {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func loginShell(uid string) string {
|
|
switch runtime.GOOS {
|
|
case "linux":
|
|
out, _ := exec.Command("getent", "passwd", uid).Output()
|
|
// out is "root:x:0:0:root:/root:/bin/bash"
|
|
f := strings.SplitN(string(out), ":", 10)
|
|
if len(f) > 6 {
|
|
return strings.TrimSpace(f[6]) // shell
|
|
}
|
|
}
|
|
if e := os.Getenv("SHELL"); e != "" {
|
|
return e
|
|
}
|
|
return "/bin/bash"
|
|
}
|
|
|
|
func startWithStdPipes(cmd *exec.Cmd) (stdin io.WriteCloser, stdout, stderr io.ReadCloser, err error) {
|
|
defer func() {
|
|
if err != nil {
|
|
for _, c := range []io.Closer{stdin, stdout, stderr} {
|
|
if c != nil {
|
|
c.Close()
|
|
}
|
|
}
|
|
}
|
|
}()
|
|
stdin, err = cmd.StdinPipe()
|
|
if err != nil {
|
|
return
|
|
}
|
|
stdout, err = cmd.StdoutPipe()
|
|
if err != nil {
|
|
return
|
|
}
|
|
stderr, err = cmd.StderrPipe()
|
|
if err != nil {
|
|
return
|
|
}
|
|
err = cmd.Start()
|
|
return
|
|
}
|
|
|
|
func envForUser(u *user.User) []string {
|
|
return []string{
|
|
fmt.Sprintf("SHELL=" + loginShell(u.Uid)),
|
|
fmt.Sprintf("USER=" + u.Username),
|
|
fmt.Sprintf("HOME=" + u.HomeDir),
|
|
}
|
|
}
|