Add fork after authentication for tsh ssh

[atburke]

This change adds the ability for tsh to fork after authentication (tsh ssh -f), analogous to ssh -f. After authentication completes (including access requests, per-session MFA, etc.), the foreground tsh process returns while the actual ssh session continues in a background process. The child process may not read from the original stdin once disowned.

Resolves #52255.

Changelog: Added fork after authentication to tsh ssh

[avatus]

whats the best way to test this?

[atburke]

@avatus The simplest way is to do something like tsh ssh -f <node> "sleep 3 && echo test", so you can see that tsh exits and then test is written afterwards.

[atburke]

Reviewers, the tests are fixed and this is now ready for review.

[avatus]

it works for me

[avatus]

I'd like to wait to merge until you have another backender look at this. Thank you!

[rosstimothy]

This does not work when per-session mfa is required. See the attached demo. There is never a prompt for MFA and to the user the connection appears to hang forever.

Screen.Recording.2025-05-16.at.9.43.45.AM.mov

Update: It looks like the prompt can eventually get triggered by the user pressing enter.

Screen.Recording.2025-05-16.at.9.48.20.AM.mov

[espadolini]

Should we have the child process exit if the parent is killed before the detach point, or is that not really necessary?

[espadolini]

In the windows case nothing keeps signalW alive in here, so its finalizer is liable to close it before the child is spawned.

[espadolini]

This is still an issue AFAICT. In UNIX there's a []*os.File in exec.Cmd which keeps the signalW object alive, but in windows we just have a []uintptr and the garbage collector is liable to trigger the execution of the finalizer of signalW at any point after line 73 (or even right before addSignalFdToChild returns).

[atburke]

Is this not fixed by unsetting the finalizer here?

teleport/lib/client/reexec_windows.go

Line 41 in 45bd0da

runtime.SetFinalizer(signal, nil)

[espadolini]

I missed that, but that's... pretty bad? We're now just leaking the read side signal pipe (admittedly we're also doing that on the unix case now that I look at it further, it's just technically not a leak because the file object is still in the exec.Cmd) and we're also never going to unblock on the read if the process dies, since we are holding open the other end of the pipe on our end.

*os.File is also not documented (and thus not guaranteed) to use a finalizer, it could be using a cleanup, it could be using special runtime magic that we can't interact with - and the finalizer on *os.File is a last resort to try to avoid file descriptor leaks in misbehaving code, not something that correct code should ever deal with.

A proper way to do this would be to carry both sides of the pipe in forkAuthCmd (if we have to use a dedicated object for this) and then close the write side immediately after Run.

[espadolini]

Is this guaranteed to return 1, nil if the child writes a byte and closes the pipe? Is 1, io.EOF a possibility? Is 0, nil a possibility, technically?

[atburke]

I would consider those cases to be equivalent for our purposes, as we really just the Read to finish. They are now handled.

[espadolini]

At this level we should not be dealing in go objects, we should open /dev/null and clone it over fd 0 - never close the stdio file descriptors, always replace them with something like /dev/null or newly opened files are liable to end up in there (I'm not sure how things works in windows tho, I'm afraid).

[espadolini]

Do we need a setsid() call or something, too?

[bl-nero]

I'm curious: is it because reading from a closed stdin is going to fail, or is there some other caveat I'm not aware of?

[espadolini]

Newly opened files are opened in the lowest file descriptor, and lots of things sort of assume that 0, 1 and 2 are always the stdio fds, so if you close one of those three and then open something else in some other thread you might end up with data going where it's not supposed to go.

[bl-nero]

Oh, wow, that's a good thing to know. Thanks!

[atburke]

I ended up just replacing tc.Stdin with /dev/null, as that's what the ssh session will use, and at the point the child calls OnAuthenticate we won't be in the middle of any reads.

[rosstimothy]

Would there be any benefit to lumping all of these into a single defer func () { }?

[rosstimothy]

Is sending nil if no error is returned of any use? The disownReady channel is only consumed a single time below and we will have already wrote nil to the channel above.

Suggested change

	disownReady <- err
	if err == nil {
	disownReady <- nil
	return
	}
	disownReady <- err

[rosstimothy]

Suggestion: shadow t here so it can't accidentally be used instead of collect?

Suggested change

	assert.EventuallyWithT(t, func(collect *assert.CollectT) {
	assert.Equal(collect, "stdout: hello\n", stdout.String())
	assert.Equal(collect, "stderr: hello\n", stderr.String())
	assert.EventuallyWithT(t, func(t *assert.CollectT) {
	assert.Equal(t, "stdout: hello\n", stdout.String())
	assert.Equal(t, "stderr: hello\n", stderr.String())

[rosstimothy]

Same suggestion as above.

Suggested change

	require.EventuallyWithT(t, func(collect *assert.CollectT) {
	assert.Equal(collect, "stdout: hello\n", stdout.String())
	assert.Equal(collect, "stderr: hello\n", stderr.String())
	require.EventuallyWithT(t, func(t *assert.CollectT) {
	assert.Equal(t, "stdout: hello\n", stdout.String())
	assert.Equal(t, "stderr: hello\n", stderr.String())

[rosstimothy]

Maybe consider bumping these up to something that seems a bit unreasonable to prevent CI from flaking? Same for below.

Suggested change

	}, time.Second, 10*time.Millisecond)
	}, 10*time.Second, 100*time.Millisecond)

[rosstimothy]

Same suggestion as above.

Suggested change

	return assert.EventuallyWithT(t, func(collect *assert.CollectT) {
	assert.FileExists(collect, testFile)
	return assert.EventuallyWithT(t, func(t *assert.CollectT) {
	assert.FileExists(t, testFile)

[espadolini]

This should close cmd.signalW and cmd.killR rather than the ExtraFiles, ExtraFiles is empty on windows.

[espadolini]

Protection against 1, io.EOF, 0, nil and other unsavory situations.

Suggested change

	_, err := cmd.signalR.Read(make([]byte, 1))
	disownReady <- err
	n, err := cmd.signalR.Read(make([]byte, 1))
	if n > 0 {
	disownReady <- nil
	} else if err == nil {
	// this should be impossible according to the io.Reader contract
	disownReady <- io.UnexpectedEOF
	} else {
	disownReady <- err
	}

[espadolini]

Can't Kill fail if the process was already finished? It also seems weird to leave a goroutine blocked on Wait but if the killing has failed for reasons out of our control there's not much we can truly do.

Perhaps we can give it a couple more seconds to wait for the exit status from Wait() here? In general once we've spawned the goroutine we should do our best not to exit the function before the goroutine is finishing.

[espadolini]

Fd() has an unfortunate side effect on some files, turning them blocking (and stdin's fd is always 0 syscall.Stdin so we don't need to Fd() it). This was also leaking the new devNull file on early errorful returns.

Suggested change

	if err := syscall.Dup2(int(devNull.Fd()), int(os.Stdin.Fd())); err != nil {
	return nil, trace.Wrap(err)
	}
	rc, err := devNull.SyscallConn()
	if err != nil {
	_ = devNull.Close()
	return nil, trace.Wrap(err)
	}
	var dupErr error
	if ctrlErr := rc.Control(func(fd uintptr) {
	dupErr = syscall.Dup2(int(fd), syscall.Stdin)
	// stdin is not O_CLOEXEC after dup2 but thankfully the three stdio
	// file descriptors must be not O_CLOEXEC anyway, so we can avoid
	// a linux-specific implementation or syscall.ForkLock shenanigans
	}); ctrlErr != nil {
	_ = devNull.Close()
	return nil, trace.Wrap(ctrlErr)
	}
	if dupErr != nil {
	_ = devNull.Close()
	return nil, trace.Wrap(err)
	}

[espadolini]

These two returns drop cmd without calling its Wait, which is liable to panic due to the finalizer guard.

[espadolini]

Suggested change

	forkAuthSuccessful := &atomic.Bool{}
	var forkAuthSuccessful atomic.Bool

[espadolini]

I would urge you to look at runForkAuthenticateChild again and see if you can simplify it in such a way that it doesn't lead to various resources getting leaked depending on which exit condition we happen to hit.

[espadolini]

Suggested change

	defer func() {
	defer func() {
	cmd.killR.Close()
	cmd.signalW.Close()

[espadolini]

Is this right? We're waiting on it, if we release it we might not actually see the process exit, will we? Won't Release return an error if we've already successfully waited the process?

[espadolini]

This is the only occurrence of ctx in this - what happens if the context actually expires? Won't it result in a zombie process, if the process doesn't cooperate?

[espadolini]

Please undo the "Rewrite to use signals instead of pipes" commit, nothing was ever made simpler by using more asynchronous signals rather than pipes.

[espadolini]

This is racy, the pid of the parent could've been reused by the time we hit this.

[backport-bot-workflows]

@atburke See the table below for backport results.

Branch	Result
branch/v16	Failed
branch/v17	Failed