b60f6b849a
Some checks are pending
checklocks / checklocks (push) Waiting to run
CodeQL / Analyze (go) (push) Waiting to run
Dockerfile build / deploy (push) Waiting to run
CI / race-root-integration (1/4) (push) Waiting to run
CI / race-root-integration (2/4) (push) Waiting to run
CI / race-root-integration (3/4) (push) Waiting to run
CI / race-root-integration (4/4) (push) Waiting to run
CI / test (-coverprofile=/tmp/coverage.out, amd64) (push) Waiting to run
CI / test (-race, amd64, 1/3) (push) Waiting to run
CI / test (-race, amd64, 2/3) (push) Waiting to run
CI / test (-race, amd64, 3/3) (push) Waiting to run
CI / test (386) (push) Waiting to run
CI / windows (push) Waiting to run
CI / privileged (push) Waiting to run
CI / vm (push) Waiting to run
CI / race-build (push) Waiting to run
CI / cross (386, linux) (push) Waiting to run
CI / cross (amd64, darwin) (push) Waiting to run
CI / cross (amd64, freebsd) (push) Waiting to run
CI / cross (amd64, openbsd) (push) Waiting to run
CI / cross (amd64, windows) (push) Waiting to run
CI / cross (arm, 5, linux) (push) Waiting to run
CI / cross (arm, 7, linux) (push) Waiting to run
CI / cross (arm64, darwin) (push) Waiting to run
CI / cross (arm64, linux) (push) Waiting to run
CI / cross (arm64, windows) (push) Waiting to run
CI / cross (loong64, linux) (push) Waiting to run
CI / ios (push) Waiting to run
CI / crossmin (amd64, illumos) (push) Waiting to run
CI / crossmin (amd64, plan9) (push) Waiting to run
CI / crossmin (amd64, solaris) (push) Waiting to run
CI / crossmin (ppc64, aix) (push) Waiting to run
CI / android (push) Waiting to run
CI / wasm (push) Waiting to run
CI / tailscale_go (push) Waiting to run
CI / fuzz (push) Waiting to run
CI / depaware (push) Waiting to run
CI / go_generate (push) Waiting to run
CI / go_mod_tidy (push) Waiting to run
CI / licenses (push) Waiting to run
CI / staticcheck (386, windows) (push) Waiting to run
CI / staticcheck (amd64, darwin) (push) Waiting to run
CI / staticcheck (amd64, linux) (push) Waiting to run
CI / staticcheck (amd64, windows) (push) Waiting to run
CI / notify_slack (push) Blocked by required conditions
CI / check_mergeability (push) Blocked by required conditions
update-flake / update-flake (push) Waiting to run
This reverts commit 46fd4e58a2.
We don't want to include this in 1.80 yet, but can add it back post 1.80.
Updates #8593
Signed-off-by: Percy Wegmann <percy@tailscale.com>
84 lines
2.0 KiB
Go
84 lines
2.0 KiB
Go
package ssh
|
|
|
|
import (
|
|
"io"
|
|
"net"
|
|
"os"
|
|
"path"
|
|
"sync"
|
|
|
|
gossh "github.com/tailscale/golang-x-crypto/ssh"
|
|
)
|
|
|
|
const (
|
|
agentRequestType = "auth-agent-req@openssh.com"
|
|
agentChannelType = "auth-agent@openssh.com"
|
|
|
|
agentTempDir = "auth-agent"
|
|
agentListenFile = "listener.sock"
|
|
)
|
|
|
|
// contextKeyAgentRequest is an internal context key for storing if the
|
|
// client requested agent forwarding
|
|
var contextKeyAgentRequest = &contextKey{"auth-agent-req"}
|
|
|
|
// SetAgentRequested sets up the session context so that AgentRequested
|
|
// returns true.
|
|
func SetAgentRequested(ctx Context) {
|
|
ctx.SetValue(contextKeyAgentRequest, true)
|
|
}
|
|
|
|
// AgentRequested returns true if the client requested agent forwarding.
|
|
func AgentRequested(sess Session) bool {
|
|
return sess.Context().Value(contextKeyAgentRequest) == true
|
|
}
|
|
|
|
// NewAgentListener sets up a temporary Unix socket that can be communicated
|
|
// to the session environment and used for forwarding connections.
|
|
func NewAgentListener() (net.Listener, error) {
|
|
dir, err := os.MkdirTemp("", agentTempDir)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
l, err := net.Listen("unix", path.Join(dir, agentListenFile))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return l, nil
|
|
}
|
|
|
|
// ForwardAgentConnections takes connections from a listener to proxy into the
|
|
// session on the OpenSSH channel for agent connections. It blocks and services
|
|
// connections until the listener stop accepting.
|
|
func ForwardAgentConnections(l net.Listener, s Session) {
|
|
sshConn := s.Context().Value(ContextKeyConn).(gossh.Conn)
|
|
for {
|
|
conn, err := l.Accept()
|
|
if err != nil {
|
|
return
|
|
}
|
|
go func(conn net.Conn) {
|
|
defer conn.Close()
|
|
channel, reqs, err := sshConn.OpenChannel(agentChannelType, nil)
|
|
if err != nil {
|
|
return
|
|
}
|
|
defer channel.Close()
|
|
go gossh.DiscardRequests(reqs)
|
|
var wg sync.WaitGroup
|
|
wg.Add(2)
|
|
go func() {
|
|
io.Copy(conn, channel)
|
|
conn.(*net.UnixConn).CloseWrite()
|
|
wg.Done()
|
|
}()
|
|
go func() {
|
|
io.Copy(channel, conn)
|
|
channel.CloseWrite()
|
|
wg.Done()
|
|
}()
|
|
wg.Wait()
|
|
}(conn)
|
|
}
|
|
}
|