Skip to content

feat: add SSH CLI access to PAM revamp#274

Merged
bernie-g merged 3 commits into
pam-revampfrom
bernie/pam-271-add-ssh-cli-access
Jun 22, 2026
Merged

feat: add SSH CLI access to PAM revamp#274
bernie-g merged 3 commits into
pam-revampfrom
bernie/pam-271-add-ssh-cli-access

Conversation

@bernie-g

@bernie-g bernie-g commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Description

Wire SSH account type into the new path-based pam access flow so it starts a local proxy and prints connection info, matching the database proxy pattern.

Type of change

  • New feature (non-breaking change which adds functionality)

@bernie-g
feat: add ssh cli access to pam revamp
8afd9cb 
Wire SSH account type into the new path-based `pam access` flow.
Starts a local TCP proxy and prints connection info with hint
commands, matching the database proxy pattern.
@infisical-review-police

infisical-review-police Bot commented Jun 22, 2026

Copy link
Copy Markdown

💬 Discussion in Slack: #pr-review-cli-274-feat-add-ssh-cli-access-to-pam-revamp

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

@linear

linear Bot commented Jun 22, 2026

Copy link
Copy Markdown

PAM-271

@bernie-g bernie-g marked this pull request as ready for review June 22, 2026 18:20
@greptile-apps

greptile-apps Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR wires the SSH account type into the path-based pam access flow by adding a startSSHAccess handler and printSSHSessionInfo banner, mirroring the existing database proxy pattern. ssh-proxy.go is significantly simplified by removing the previous SSH-client-launching logic in favour of a pure proxy-only mode.

  • startSSHAccess follows the same lifecycle as startDatabaseProxy: parse duration, validate metadata, create SSHProxyServer, bind a local port, print connection info, register a signal handler, then block on Run().
  • ssh-proxy.go drops SSHAccessOptions, StartSSHLocalProxy, launchSSHClient, waitForSSHCompletion, and the SSH exit-code propagation logic; gracefulShutdown now unconditionally exits 0.
  • printSSHSessionInfo has a minor inconsistency where the Examples: header goes to stdout while the actual command lines go to stderr via util.PrintfStderr, matching the same asymmetry in printDatabaseSessionInfo.

Confidence Score: 4/5

The change is a straightforward port of the established database-proxy pattern to SSH; the core logic is correct and the simplification of ssh-proxy.go removes more complexity than it adds.

The SSRF concern (API-supplied relay host + mTLS credentials with no allowlist) is a real structural risk, but it is inherent to the existing proxy design rather than a mistake introduced here. The remaining findings are cosmetic: empty-username guard missing from the banner, mixed stdout/stderr output, and a log line that omits the username. None of these affect runtime correctness of the happy path.

packages/pam/local/access.go — review the printSSHSessionInfo banner and the relay-host origin in startSSHAccess.

Security Review
  • SSRF via API-supplied relay host (packages/pam/local/access.go, startSSHAccess): response.RelayHost and all associated mTLS credentials (relayClientCert, relayClientKey, relayServerCertChain) are taken from the PAM API response and used without domain allowlisting. A compromised or intercepted API response could redirect outbound relay connections to an attacker-controlled endpoint; because the certificates are also attacker-supplied, mTLS validation would not mitigate the redirection. This pattern is pre-existing in the database proxy but is now present in the SSH access path as well.

Important Files Changed

Filename Overview
packages/pam/local/access.go Added startSSHAccess and printSSHSessionInfo to wire SSH account type into the PAM access flow; minor issues with empty username guard, mixed stdout/stderr output, and missing username in log context.
packages/pam/local/ssh-proxy.go Significantly simplified — removed the old SSH-client-launching logic (launchSSHClient, waitForSSHCompletion, SSHAccessOptions, StartSSHLocalProxy) and the sshProcess/options/sshExitCode fields; now a clean proxy-only server matching the database proxy pattern.

Reviews (1): Last reviewed commit: "feat: add ssh cli access to pam revamp" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 22, 2026
View reviewed changes
Comment thread packages/pam/local/access.go
Comment thread packages/pam/local/access.go Outdated
Comment thread packages/pam/local/access.go
Comment thread packages/pam/local/access.go
@bernie-g
fix: guard empty username in SSH session banner
da3f91b 
Match the database banner's `if username != ""` check for consistency.
veria-ai[bot]
veria-ai Bot reviewed Jun 22, 2026
View reviewed changes
Comment thread packages/pam/local/access.go
@veria-ai

veria-ai Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

PR overview

All previously flagged issues have been addressed. No open security concerns remain on this pull request.

Security review

No open security issues remain on this pull request.

Fixed/addressed: 1 · PR risk: 0/10

sheensantoscapadngan
sheensantoscapadngan reviewed Jun 22, 2026
View reviewed changes
Comment thread packages/pam/local/access.go Outdated
@bernie-g bernie-g merged commit d3dc6d3 into pam-revamp Jun 22, 2026
28 of 29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments
@veria-ai veria-ai[bot] veria-ai[bot] left review comments
@sheensantoscapadngan sheensantoscapadngan sheensantoscapadngan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bernie-g @sheensantoscapadngan