[client] Support non-PTY no-command interactive SSH sessions (#5093)

2026-04-19 08:46:38 +00:00 · 2026-01-27 18:05:04 +08:00
parent d4f7df271a
commit 06966da012
17 changed files with 461 additions and 270 deletions
--- a/client/ssh/server/executor_unix.go
+++ b/client/ssh/server/executor_unix.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"runtime"
 	"strings"
 	"syscall"
@@ -35,11 +36,35 @@ type ExecutorConfig struct {
 }

 // PrivilegeDropper handles secure privilege dropping in child processes
-type PrivilegeDropper struct{}
+type PrivilegeDropper struct {
+	logger *log.Entry
+}
+
+// PrivilegeDropperOption is a functional option for configuring PrivilegeDropper
+type PrivilegeDropperOption func(*PrivilegeDropper)

 // NewPrivilegeDropper creates a new privilege dropper
-func NewPrivilegeDropper() *PrivilegeDropper {
-	return &PrivilegeDropper{}
+func NewPrivilegeDropper(opts ...PrivilegeDropperOption) *PrivilegeDropper {
+	pd := &PrivilegeDropper{}
+	for _, opt := range opts {
+		opt(pd)
+	}
+	return pd
+}
+
+// WithLogger sets the logger for the PrivilegeDropper
+func WithLogger(logger *log.Entry) PrivilegeDropperOption {
+	return func(pd *PrivilegeDropper) {
+		pd.logger = logger
+	}
+}
+
+// log returns the logger, falling back to standard logger if none set
+func (pd *PrivilegeDropper) log() *log.Entry {
+	if pd.logger != nil {
+		return pd.logger
+	}
+	return log.NewEntry(log.StandardLogger())
 }

 // CreateExecutorCommand creates a command that spawns netbird ssh exec for privilege dropping
@@ -83,7 +108,7 @@ func (pd *PrivilegeDropper) CreateExecutorCommand(ctx context.Context, config Ex
 			break
 		}
 	}
-	log.Tracef("creating executor command: %s %v", netbirdPath, safeArgs)
+	pd.log().Tracef("creating executor command: %s %v", netbirdPath, safeArgs)
 	return exec.CommandContext(ctx, netbirdPath, args...), nil
 }

@@ -206,17 +231,22 @@ func (pd *PrivilegeDropper) ExecuteWithPrivilegeDrop(ctx context.Context, config

 	var execCmd *exec.Cmd
 	if config.Command == "" {
-		os.Exit(ExitCodeSuccess)
+		execCmd = exec.CommandContext(ctx, config.Shell)
+	} else {
+		execCmd = exec.CommandContext(ctx, config.Shell, "-c", config.Command)
 	}
-
-	execCmd = exec.CommandContext(ctx, config.Shell, "-c", config.Command)
+	execCmd.Args[0] = "-" + filepath.Base(config.Shell)
 	execCmd.Stdin = os.Stdin
 	execCmd.Stdout = os.Stdout
 	execCmd.Stderr = os.Stderr

-	cmdParts := strings.Fields(config.Command)
-	safeCmd := safeLogCommand(cmdParts)
-	log.Tracef("executing %s -c %s", execCmd.Path, safeCmd)
+	if config.Command == "" {
+		log.Tracef("executing login shell: %s", execCmd.Path)
+	} else {
+		cmdParts := strings.Fields(config.Command)
+		safeCmd := safeLogCommand(cmdParts)
+		log.Tracef("executing %s -c %s", execCmd.Path, safeCmd)
+	}
 	if err := execCmd.Run(); err != nil {
 		var exitError *exec.ExitError
 		if errors.As(err, &exitError) {