ssh/tailssh: allow setting some Tailscale SSH config from env varsbradfitz/ssh_config_from_env

DO NOT SUBMIT; Draft. Just an example. Change-Id: I46f74e2a1dfeabae70416200cb996857d4dc6144 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
author: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-10-17 08:46:41 -0700
committer: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-10-17 08:46:41 -0700
commit: 5291af01bc174f15c6d3bf8ebe8dd6913f62a906 (patch)
tree: 59e70d0b1683ecf2752b5a6231bc523358438bb0
parent: 22c89fcb19ea36159e232c45b4f5e91c73b9e486 (diff)
download: tailscale-bradfitz/ssh_config_from_env.tar.xz
tailscale-bradfitz/ssh_config_from_env.zip
1 files changed, 10 insertions, 1 deletions
diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go
index 9ade1847e..9452551dc 100644
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -423,10 +423,19 @@ func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error {
 
 // ServerConfig implements ssh.ServerConfigCallback.
 func (c *conn) ServerConfig(ctx ssh.Context) *gossh.ServerConfig {
-	return &gossh.ServerConfig{
+	sc := &gossh.ServerConfig{
 		NoClientAuth:           true, // required for the NoClientAuthCallback to run
 		NextAuthMethodCallback: c.nextAuthMethodCallback,
 	}
+	ssFromEnv := func(dst *[]string, envKey string) {
+		if v := os.Getenv(envKey); v != "" {
+			*dst = strings.Split(v, ",")
+		}
+	}
+	ssFromEnv(&sc.KeyExchanges, "TS_SSH_KEY_EXCHANGE_ALGS")
+	ssFromEnv(&sc.Ciphers, "TS_SSH_CIPHERS")
+	ssFromEnv(&sc.MACs, "TS_SSH_MACS")
+	return sc
 }
 
 func (srv *server) newConn() (*conn, error) {
author	Brad Fitzpatrick <bradfitz@tailscale.com>	2024-10-17 08:46:41 -0700
committer	Brad Fitzpatrick <bradfitz@tailscale.com>	2024-10-17 08:46:41 -0700
commit	5291af01bc174f15c6d3bf8ebe8dd6913f62a906 (patch)
tree	59e70d0b1683ecf2752b5a6231bc523358438bb0
parent	22c89fcb19ea36159e232c45b4f5e91c73b9e486 (diff)
download	tailscale-bradfitz/ssh_config_from_env.tar.xz tailscale-bradfitz/ssh_config_from_env.zip