Allow nodes to use SSH agent forwarding

juanfont · Sep 22, 2024 · b3813f3 · b3813f3
1 parent f3fca83
commit b3813f3
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## Next
 
 - Improved compatibilty of built-in DERP server with clients connecting over WebSocket.
+- Allow nodes to use SSH agent forwarding [#2145](https://github.com/juanfont/headscale/pull/2145)
 
 ## 0.23.0 (2024-09-18)
 

diff --git a/hscontrol/policy/acls.go b/hscontrol/policy/acls.go
@@ -292,7 +292,7 @@ func (pol *ACLPolicy) CompileSSHPolicy(
  Reject: false,
  Accept: true,
  SessionDuration: 0,
- AllowAgentForwarding: false,
+ AllowAgentForwarding: true,
  HoldAndDelegate: "",
  AllowLocalPortForwarding: true,
  }
@@ -401,7 +401,7 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
  Reject: false,
  Accept: true,
  SessionDuration: sessionLength,
- AllowAgentForwarding: false,
+ AllowAgentForwarding: true,
  HoldAndDelegate: "",
  AllowLocalPortForwarding: true,
  }, nil

diff --git a/hscontrol/policy/acls_test.go b/hscontrol/policy/acls_test.go
@@ -3323,7 +3323,7 @@ func TestSSHRules(t *testing.T) {
  SSHUsers: map[string]string{
  "autogroup:nonroot": "=",
  },
- Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true},
+ Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true},
  },
  {
  SSHUsers: map[string]string{
@@ -3334,7 +3334,7 @@ func TestSSHRules(t *testing.T) {
  Any: true,
  },
  },
- Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true},
+ Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true},
  },
  {
  Principals: []*tailcfg.SSHPrincipal{
@@ -3345,7 +3345,7 @@ func TestSSHRules(t *testing.T) {
  SSHUsers: map[string]string{
  "autogroup:nonroot": "=",
  },
- Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true},
+ Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true},
  },
  {
  SSHUsers: map[string]string{
@@ -3356,7 +3356,7 @@ func TestSSHRules(t *testing.T) {
  Any: true,
  },
  },
- Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true},
+ Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true},
  },
  }},
  },