From 07b596d3cc9765e412a7faaaef6a663782a6f4dd Mon Sep 17 00:00:00 2001 From: David Mell Date: Mon, 23 Sep 2024 01:59:16 -0800 Subject: [PATCH] Allow nodes to use SSH agent forwarding (#2145) --- CHANGELOG.md | 1 + hscontrol/policy/acls.go | 4 ++-- hscontrol/policy/acls_test.go | 8 ++++---- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e91082c..538d1432 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Next - Improved compatibilty of built-in DERP server with clients connecting over WebSocket. +- Allow nodes to use SSH agent forwarding [#2145](https://github.com/juanfont/headscale/pull/2145) ## 0.23.0 (2024-09-18) diff --git a/hscontrol/policy/acls.go b/hscontrol/policy/acls.go index 2b3a50f7..b166df03 100644 --- a/hscontrol/policy/acls.go +++ b/hscontrol/policy/acls.go @@ -292,7 +292,7 @@ func (pol *ACLPolicy) CompileSSHPolicy( Reject: false, Accept: true, SessionDuration: 0, - AllowAgentForwarding: false, + AllowAgentForwarding: true, HoldAndDelegate: "", AllowLocalPortForwarding: true, } @@ -401,7 +401,7 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) { Reject: false, Accept: true, SessionDuration: sessionLength, - AllowAgentForwarding: false, + AllowAgentForwarding: true, HoldAndDelegate: "", AllowLocalPortForwarding: true, }, nil diff --git a/hscontrol/policy/acls_test.go b/hscontrol/policy/acls_test.go index 6b2e0f97..9f38c6db 100644 --- a/hscontrol/policy/acls_test.go +++ b/hscontrol/policy/acls_test.go @@ -3323,7 +3323,7 @@ func TestSSHRules(t *testing.T) { SSHUsers: map[string]string{ "autogroup:nonroot": "=", }, - Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true}, + Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true}, }, { SSHUsers: map[string]string{ @@ -3334,7 +3334,7 @@ func TestSSHRules(t *testing.T) { Any: true, }, }, - Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true}, + Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true}, }, { Principals: []*tailcfg.SSHPrincipal{ @@ -3345,7 +3345,7 @@ func TestSSHRules(t *testing.T) { SSHUsers: map[string]string{ "autogroup:nonroot": "=", }, - Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true}, + Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true}, }, { SSHUsers: map[string]string{ @@ -3356,7 +3356,7 @@ func TestSSHRules(t *testing.T) { Any: true, }, }, - Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true}, + Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true}, }, }}, },