ipn/ipnlocal: reject tailscale up --ssh if disabled on tailnet
Updates #3802 Change-Id: I3f1e839391fe9b28270f506f4bb8d8e3d36716f5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
parent
0ce67ccda6
commit
8b81254992
|
@ -149,3 +149,9 @@ func UseWIPCode() bool { return Bool("TAILSCALE_USE_WIP_CODE") }
|
||||||
// if already enabled and any attempt to re-enable it will result in
|
// if already enabled and any attempt to re-enable it will result in
|
||||||
// an error.
|
// an error.
|
||||||
func CanSSHD() bool { return !Bool("TS_DISABLE_SSH_SERVER") }
|
func CanSSHD() bool { return !Bool("TS_DISABLE_SSH_SERVER") }
|
||||||
|
|
||||||
|
// SSHPolicyFile returns the path, if any, to the SSHPolicy JSON file for development.
|
||||||
|
func SSHPolicyFile() string { return String("TS_DEBUG_SSH_POLICY_FILE") }
|
||||||
|
|
||||||
|
// SSHIgnoreTailnetPolicy is whether to ignore the Tailnet SSH policy for development.
|
||||||
|
func SSHIgnoreTailnetPolicy() bool { return Bool("TS_DEBUG_SSH_IGNORE_TAILNET_POLICY") }
|
||||||
|
|
|
@ -1808,6 +1808,10 @@ func (b *LocalBackend) checkPrefsLocked(p *ipn.Prefs) error {
|
||||||
if !canSSH {
|
if !canSSH {
|
||||||
return errors.New("The Tailscale SSH server has been administratively disabled.")
|
return errors.New("The Tailscale SSH server has been administratively disabled.")
|
||||||
}
|
}
|
||||||
|
if b.netMap != nil && b.netMap.SSHPolicy == nil &&
|
||||||
|
envknob.SSHPolicyFile() == "" && !envknob.SSHIgnoreTailnetPolicy() {
|
||||||
|
return errors.New("Unable to enable local Tailscale SSH server; not enabled/configured on Tailnet.")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,8 +43,8 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
debugPolicyFile = envknob.String("TS_DEBUG_SSH_POLICY_FILE")
|
debugPolicyFile = envknob.SSHPolicyFile()
|
||||||
debugIgnoreTailnetSSHPolicy = envknob.Bool("TS_DEBUG_SSH_IGNORE_TAILNET_POLICY")
|
debugIgnoreTailnetSSHPolicy = envknob.SSHIgnoreTailnetPolicy()
|
||||||
sshVerboseLogging = envknob.Bool("TS_DEBUG_SSH_VLOG")
|
sshVerboseLogging = envknob.Bool("TS_DEBUG_SSH_VLOG")
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue