Allow nodes to use SSH agent forwarding (#2145)

2025-10-31 16:11:03 +01:00 · 2024-09-23 01:59:16 -08:00 · 2024-09-23 01:59:16 -08:00 · 07b596d3cc
commit 07b596d3cc
parent f3fca8302a
3 changed files with 7 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,7 @@
 ## Next

 - Improved compatibilty of built-in DERP server with clients connecting over WebSocket.
+- Allow nodes to use SSH agent forwarding [#2145](https://github.com/juanfont/headscale/pull/2145)

 ## 0.23.0 (2024-09-18)

--- a/hscontrol/policy/acls.go
+++ b/hscontrol/policy/acls.go
@ -292,7 +292,7 @@ func (pol *ACLPolicy) CompileSSHPolicy(
 		Reject:                   false,
 		Accept:                   true,
 		SessionDuration:          0,
-		AllowAgentForwarding:     false,
+		AllowAgentForwarding:     true,
 		HoldAndDelegate:          "",
 		AllowLocalPortForwarding: true,
 	}
@ -401,7 +401,7 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
 		Reject:                   false,
 		Accept:                   true,
 		SessionDuration:          sessionLength,
-		AllowAgentForwarding:     false,
+		AllowAgentForwarding:     true,
 		HoldAndDelegate:          "",
 		AllowLocalPortForwarding: true,
 	}, nil
--- a/hscontrol/policy/acls_test.go
+++ b/hscontrol/policy/acls_test.go
@ -3323,7 +3323,7 @@ func TestSSHRules(t *testing.T) {
 					SSHUsers: map[string]string{
 						"autogroup:nonroot": "=",
 					},
-					Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true},
+					Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true},
 				},
 				{
 					SSHUsers: map[string]string{
@ -3334,7 +3334,7 @@ func TestSSHRules(t *testing.T) {
 							Any: true,
 						},
 					},
-					Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true},
+					Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true},
 				},
 				{
 					Principals: []*tailcfg.SSHPrincipal{
@ -3345,7 +3345,7 @@ func TestSSHRules(t *testing.T) {
 					SSHUsers: map[string]string{
 						"autogroup:nonroot": "=",
 					},
-					Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true},
+					Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true},
 				},
 				{
 					SSHUsers: map[string]string{
@ -3356,7 +3356,7 @@ func TestSSHRules(t *testing.T) {
 							Any: true,
 						},
 					},
-					Action: &tailcfg.SSHAction{Accept: true, AllowLocalPortForwarding: true},
+					Action: &tailcfg.SSHAction{Accept: true, AllowAgentForwarding: true, AllowLocalPortForwarding: true},
 				},
 			}},
 		},