From afad3d4e7656b34718daad50a666d1f985255c9b Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 4 May 2026 12:43:20 +0000
Subject: [PATCH] ssh/tailssh: keep OpenSSH exit test on none auth

Make the OpenSSH integration test deterministic on macOS while preserving the meaningful Tailscale SSH authentication path: use an empty client config, disable public-key/password/keyboard-interactive/GSSAPI follow-up methods, and rely on the initial SSH none-auth request that tailssh handles through clientAuth.

Log the OpenSSH version and capture verbose SSH output so future runner-specific failures expose the client-side reason.

Updates #18256

Change-Id: I5ea2dedd45f0294a053cee0f5a46cfa3cf2d993f
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 ssh/tailssh/tailssh_integration_test.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ssh/tailssh/tailssh_integration_test.go b/ssh/tailssh/tailssh_integration_test.go
index e4d2fc83a..f9481068d 100644
--- a/ssh/tailssh/tailssh_integration_test.go
+++ b/ssh/tailssh/tailssh_integration_test.go
@@ -1047,6 +1047,11 @@ func TestOpenSSHExitCodes(t *testing.T) {
 	t.Cleanup(func() { debugTest.Store(false) })
 	username := exitCodeTestUser()
 
+	if out, err := exec.Command("ssh", "-V").CombinedOutput(); err == nil {
+		t.Logf("OpenSSH version: %s", bytes.TrimSpace(out))
+	}
+	t.Logf("OpenSSH test user: %s", username)
+
 	addr := testServer(t, username, false, false)
 	host, port, err := net.SplitHostPort(addr)
 	if err != nil {
@@ -1093,13 +1098,18 @@ func TestOpenSSHExitCodes(t *testing.T) {
 			defer cancel()
 
 			cmd := exec.CommandContext(ctx, "ssh",
-				"-F", "none",
+				"-vvv",
+				"-F", "/dev/null",
 				"-T",
 				"-o", "BatchMode=yes",
 				"-o", "ConnectTimeout=5",
+				"-o", "GSSAPIAuthentication=no",
 				"-o", "GlobalKnownHostsFile=/dev/null",
-				"-o", "LogLevel=ERROR",
+				"-o", "HostbasedAuthentication=no",
+				"-o", "KbdInteractiveAuthentication=no",
 				"-o", "NumberOfPasswordPrompts=0",
+				"-o", "PasswordAuthentication=no",
+				"-o", "PubkeyAuthentication=no",
 				"-o", "StrictHostKeyChecking=no",
 				"-o", "UserKnownHostsFile=/dev/null",
 				"-p", port,