refactor!(auth): drop SSH handshake secret#1274
Conversation
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
TaylorMutch
force-pushed
the
tmutch/ssh-handshake-helm-fix
branch
from
0f5b57c to
72be22f
Compare
|
🌿 Preview your docs: https://nvidia-preview-pr-1274.docs.buildwithfern.com/openshell |
TaylorMutch
changed the title
The OPENSHELL_SSH_HANDSHAKE_SECRET / x-sandbox-secret mechanism was misnamed: it does not authenticate SSH (which flows over the RelayStream gRPC RPC and is gated by mTLS plus supervisor Unix-socket permissions). It only gated a small set of sandbox-to-gateway control-plane RPCs, and production deployments already enforce mTLS on that channel — so the shared secret was redundant. Replace the secret check with an mTLS-presence marker. Sandbox-class methods (ReportPolicyStatus, PushSandboxLogs, GetSandboxProviderEnvironment, SubmitPolicyAnalysis, GetSandboxConfig, GetInferenceBundle) accept callers without a Bearer token; the gRPC mTLS handshake is the trust boundary. Dual-auth methods treat Bearer-present as full-scope CLI access and Bearer-absent as sandbox-restricted scope via validate_sandbox_caller_update. Drops the secret from all drivers (K8s, Podman, VM), the sandbox gRPC interceptor, the Helm chart (values + pre-install hook + StatefulSet env), the RPM bootstrap script, the man pages, and the debug-openshell-cluster skill. Also removes the never-read ssh_handshake_skew_secs flag and config field. BREAKING CHANGE: --ssh-handshake-secret / OPENSHELL_SSH_HANDSHAKE_SECRET and --ssh-handshake-skew-secs / OPENSHELL_SSH_HANDSHAKE_SKEW_SECS are removed from the gateway, sandbox, and all driver binaries. The openshell-ssh-handshake K8s Secret is no longer managed by the chart; operators may delete the orphan. Deployments using --disable-gateway-auth must enforce caller authentication at the fronting proxy, since the gateway no longer validates a per-request secret on sandbox-class methods. Refs OS-174.
TaylorMutch
force-pushed
the
tmutch/ssh-handshake-helm-fix
branch
from
72be22f to
1df4404
Compare
TaylorMutch
requested review from
a team,
derekwaynecarr,
maxamillion and
mrunalp
as code owners
|
Label |
Sweep across docs, e2e scripts, the Podman driver README/NETWORKING notes, the RPM/Helm/setup guides, the gateway man page, and RFC 0003 to remove instructions and examples that still referenced OPENSHELL_SSH_HANDSHAKE_SECRET / --ssh-handshake-secret / ssh_handshake_skew_secs. The mechanism is gone; nothing should still suggest setting it. Negative-assertion regression tests are kept so the env var cannot silently be re-introduced.
The supporting code, env vars, CLI flags, and config plumbing are gone — these tests asserted absence of strings that no longer have any path to being set. Remove the guards from the Docker, Podman, Kubernetes, and VM driver test modules.
|
Update VM e2e after removing the CLI flag — |
drew
left a comment
drew
left a comment
There was a problem hiding this comment.
Looks good, just the one comment around updating e2e vm tests
|
Do we want to add a warning log for when someone passes |
We can; this isn't a new problem though, we have raised #1354 which captures the problem overall. |
Going to work on this as a follow up. |
) * chore: remove SSH handshake secret residuals and fix agent memory Removes three artifacts left behind by the #1274 removal of OPENSHELL_SSH_HANDSHAKE_SECRET, then corrects a sweep of stale and inaccurate notes in .claude/agent-memory/arch-doc-writer/MEMORY.md that were discovered during the audit. Artifact removal (Refs OS-174): - openshell.spec: stale comment claiming init-gateway-env.sh generates an SSH handshake secret - e2e/with-podman-gateway.sh: dead podman secret rm for openshell-handshake-<id>, which is never created since #1274 Agent memory corrections: - ssh_tunnel.rs no longer exists; replaced by ssh_sessions.rs - Object types list was missing service_endpoint and provider_profile - Pre-exec chain now includes harden_child_process() and uses the linux::prepare()/enforce() two-phase pattern on Linux - CLI SSH function list had nonexistent sandbox_rsync; corrected to actual exported functions - ExecSandbox is in grpc/sandbox.rs (not grpc.rs) and operates over a supervisor relay DuplexStream, not a direct TCP connection - resolve_ssh_gateway() moved to openshell-core/src/forward.rs - SSH transport note rewrote: NSSH1 is an OCSF-only label (not a live protocol preface); actual path is ForwardTcp -> DuplexStream -> RelayStream -> Unix socket; access gated by CreateSshSession token; TLS follows endpoint scheme (https:// = mTLS, http:// = plaintext; Podman driver does not yet inject mTLS client materials) - CLI flag note was self-contradictory; corrected to --gateway-endpoint with resolution priority chain * fix(vm): collapse nested if blocks to satisfy clippy::collapsible_if Three nested if blocks in connect_local_container_engine() were flagged by clippy after #1370. Collapse to single if-let chains using && as suggested.
3 participants
Summary
Removes the misnamed `OPENSHELL_SSH_HANDSHAKE_SECRET` (`x-sandbox-secret`) mechanism. It did not authenticate SSH — SSH flows over the `RelayStream` gRPC RPC and is gated by mTLS plus the supervisor's Unix-socket permissions — it only gated a small set of sandbox→gateway control-plane RPCs. Production deployments already enforce mTLS on that channel, so the shared secret was redundant.
Related Issue
Refs OS-174.
Changes
Breaking changes
Testing
Checklist