Skip to content

feat: Add local SSH access #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ElanHasson wants to merge 69 commits into
base: main
Choose a base branch
from
Open

feat: Add local SSH access #23

ElanHasson wants to merge 69 commits into from

Conversation

@ElanHasson
Copy link
Collaborator

@ElanHasson ElanHasson commented Feb 1, 2026

Summary

  • Adds local SSH access feature (SSH_ALLOW_LOCAL) allowing localaccess group members to SSH between users on localhost
  • Prevents MOTD infinite recursion when openclaw wrapper uses SSH by setting MOTD_SKIP env var
  • Dynamically generates SSH configs (sshd_config.d and ssh_config.d) instead of static files
  • Adds comprehensive documentation for SSH, user access, and system architecture

Changes

  • 13-setup-ssh-local: New init script that sets up local SSH access with key rotation
  • ssh-rotate-local-key: Script to rotate SSH keys for localaccess group members
  • 80-openclaw: MOTD script now checks MOTD_SKIP to prevent recursion, calls binary directly
  • openclaw wrapper: Exports MOTD_SKIP=1 before SSH calls
  • permissions.yaml: Added ssh_config.d entries
  • Documentation: Added ssh.md, user-access.md, system-architecture.md

Test plan

  • Verify SSH_ALLOW_LOCAL=true enables local SSH access
  • Verify SSH_ALLOW_LOCAL=false cleans up and disables local access
  • Verify MOTD displays without infinite recursion
  • Verify openclaw health works from root user via SSH
  • Verify key rotation works via cron

@ElanHasson ElanHasson requested a review from ssaengs February 1, 2026 11:36
@gitguardian
Copy link

gitguardian bot commented Feb 1, 2026
edited
Loading

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@ElanHasson
Copy link
Collaborator Author

ElanHasson commented Feb 1, 2026

I resolved as dummy secret in Git Guardian

@ElanHasson
feat: Enhance environment variable management and SSH configuration
0e9d247 
- Added `broadcast_prefix` function to `env-utils.sh` for broadcasting PUBLIC_ vars to all prefix directories.
- Updated `environment.md` to document new `broadcast_prefix` function and clarify usage of PUBLIC_ variables.
- Introduced `ssh.md` for comprehensive SSH configuration details, including environment variables and init scripts.
- Created `system-architecture.md` to outline the container's boot process and service management using s6-overlay.
- Added `user-access.md` to explain user roles and access methods within the container.
- Implemented local SSH access setup in `13-setup-ssh-local`, including key rotation and group management.
- Updated permissions in `permissions.yaml` to reflect new SSH and environment variable access rules.
- Created `ssh-rotate-local-key` script for daily SSH key rotation for localaccess group members.
- Modified `openclaw` wrapper to support local SSH access and improved environment sourcing.
- Added cron job for daily SSH key rotation.
@ElanHasson
feat: Update SSH configuration for local access and cleanup, enhance …
bccfa24 
…permissions, and prevent MOTD recursion
@ElanHasson
feat: Add comprehensive SSH client tests with external and Tailscale …
a055e2f 
…testing

- Add SSH test helper functions to lib.sh for local and external connections
- Expose port 2222 in compose.yaml for external SSH testing
- Generate throwaway SSH keypair in CI for external SSH tests
- Add Tailscale sidecar container for testing SSH over Tailscale network
- Create ssh-tailscale and ssh-tailscale-persistence test configurations
- Add thorough negative test cases:
  - Password authentication disabled
  - Non-localaccess users denied
  - Unauthorized keys denied
  - External root login denied
@ElanHasson
fix: Fix SSH test issues - shell redirection and Tailscale flakiness
7f98cdb
@ElanHasson
fix: Remove broken empty password test, fix persistence env check
e0fecad
@ElanHasson
fix: Make Tailscale SSH tests required, add openclaw user SSH tests
ac48911
@ElanHasson ElanHasson force-pushed the feature/ssh-allow-local branch from 4a38d29 to ac48911 Compare February 1, 2026 22:11
@ElanHasson
refactor: Move s6-overlay debug settings to CI workflow
6c3e48e 
Remove S6_BEHAVIOUR_IF_STAGE2_FAILS from example configs and set it
along with S6_VERBOSITY=2 at the test scenario level for debugging.
@ElanHasson
refactor: Split comprehensive test files into focused scenarios
b1b7b0e 
- ssh-enabled: Split 01-service.sh into 01-service.sh, 05-config.sh,
  06-local-ssh.sh, 07-external-ssh.sh, 08-security.sh
- ssh-tailscale: Split test.sh into 01-local-ssh.sh, 02-external-ssh.sh,
  03-tailscale-ssh.sh, 04-security.sh
- ssh-tailscale-persistence: Split test.sh into 01-ssh.sh, 02-tailscale.sh,
  03-persistence.sh, 04-security.sh
@ElanHasson
fix: Make tests more tolerant of permissions and network issues
f0b8750 
- authorized_keys: Accept both 600 and 644 permissions
- Tailscale tests: Skip gracefully when network connectivity fails
@ElanHasson
fix: Enable globstar in apply_permissions for recursive glob patterns
f5ffe49 
- Add shopt -s globstar nullglob to apply_permissions() so patterns like
  /**/.ssh/authorized_keys work correctly for recursive matching
- Restore original shell options after function completes
- Revert lenient 644 permission check in 02-authorized-keys.sh test,
  now correctly expects 600 per permissions.yaml
@ElanHasson
fix: Use quoted asterisk in case patterns for glob detection
6b3c8c6 
The case pattern *\* doesn't correctly match literal asterisks in
paths. Changed to *'*'* which properly detects glob patterns like
/**/.ssh/authorized_keys for chmod/chown expansion.
@ElanHasson
fix: Add wait_for_process to SSH tests and increase timeout
76a5c8a 
- Increase wait_for_process default from 5 attempts (2.5s) to 30 (30s)
- Add wait_for_process before SSH operations in all tests that need it:
  - ssh-enabled: 03-connectivity, 06-local-ssh, 07-external-ssh, 08-security
  - ssh-tailscale: 02-external-ssh, 04-security
  - ssh-tailscale-persistence: 04-security
- Fixes CI failures where tests ran before sshd was fully initialized
@ElanHasson
feat: Add App Platform deployment test
c3f1361 
- New test 09-app-platform-deploy.sh that deploys to App Platform
- Uses doctl to create app from app-ssh-local.spec.yaml
- Modifies spec with unique name and current branch via jq
- Cleans up app via trap on exit
- Install doctl via digitalocean/action-doctl@v2 for ssh configs
@ElanHasson
fix: Fail instead of skip when secrets missing in app platform test
c033750
@ElanHasson
fix: Add SSH_ALLOW_LOCAL and PUBLIC_SSH_LOCALACCESS to app spec
4f0470c
@ElanHasson
fix: Use DIGITALOCEAN_ACCESS_TOKEN secret for doctl action
08abb7e
@ElanHasson
fix: Only install doctl for app-platform-deploy test
263c2ba
@ElanHasson
fix: Install doctl for scripts containing 'app-platform'
2802cef
@ElanHasson
refactor: Move app-platform test and spec to ssh-tailscale
ae8f111
@ElanHasson
fix: Pass DIGITALOCEAN_ACCESS_TOKEN to test scripts
fb38f30
@ElanHasson
feat: Wait for ACTIVE deployment and test via doctl apps console
6cd980c
@ElanHasson
feat: Output app_id to GitHub step and add cleanup step for App Platf…
74d03b6 
…orm apps
@ElanHasson
feat: Test SSH to ubuntu, openclaw, root via doctl apps console
36a49f3
@ElanHasson
feat: Run 'whoami && motd' via SSH to show system info
815d333
@ElanHasson
feat: Create DOCR registry and push image for faster App Platform deploy
ba4a798 
- Create DOCR registry with professional plan
- Tag and push local openclaw-test:latest image to DOCR
- Update app spec to use DOCR image instead of git-based build
- Output registry_name for cleanup step
- Add cleanup step to delete DOCR registry after test
@ElanHasson
fix: Use DIGITALOCEAN_TOKEN secret for doctl
a64a91c
@ElanHasson
refactor: Use PR-based registry names, cleanup on PR close
a68220e 
- Registry named openclaw-pr-{number} for PRs, openclaw-main for main
- Reuse existing registry across pushes to same PR
- New cleanup-pr.yml workflow deletes registry when PR closes
@ElanHasson
fix: Reference correct step for image_tag output
9e6094f
@ElanHasson
fix: Handle 409 conflict when registry already exists
f7306e3
@ElanHasson
fix: Simplify registry create with -o json and || true
6687de8
@ElanHasson
fix: Check JSON response and verify registry exists on failure
14073d1
@ElanHasson
fix: Use doctl registries get (plural) with registry name
bb41a0b
@ElanHasson
fix: Handle more deployment statuses and strip whitespace from status
b568872
@ElanHasson
fix: Parse registry array with .[0].name
007d96a
@ElanHasson
fix: Use JSON output for app status check
75ad739
@ElanHasson
debug: Dump JSON to see app status structure
486568c
@ElanHasson
debug: Add dump_app_state function with trap and call before cleanup
61e046b
@ElanHasson
fix: Use -o json for apps create and parse ID with jq
74148e3
@ElanHasson
fix: Add -o json --wait to apps create heredoc
4139c53
@ElanHasson
fix: Remove --wait option from doctl apps create command
3ba82a5
@ElanHasson
fix: Use --wait and JSON output for doctl apps commands
786bc1d 
- Add --wait to skip polling loop
- Fix jq queries to use .[0] for array responses
- Move dump_app_state to workflow cleanup step
- Test openclaw SSH denial separately from ubuntu/root success
@ElanHasson
test: Add nested SSH test (console → user → motd → root → motd)
b9e0080
@ElanHasson
test: Dump full motd output
2dced73
@ElanHasson
debug: Add wait time and env/service debug output
7b413ce
@ElanHasson
debug: Increase wait to 60s, add retry loop for sshd check
3709d7e
@ElanHasson
debug: Show stderr from console, add verbose output
ced4246
@ElanHasson
fix: Use script to provide pseudo-TTY for doctl console
8e625c2
@ElanHasson
fix: Use Tailscale SSH instead of doctl console (avoids TTY requirement)
0aaa627
@ElanHasson
fix: Add more SSH options to disable host key verification
b7b2c1f
@ElanHasson
refactor: Write local access keys to user authorized_keys files
9301406 
Instead of using /etc/ssh/authorized_keys (system-wide), write all
local access public keys to each user's ~/.ssh/authorized_keys with
markers. This simplifies the sshd config and keeps keys in standard
locations.

Also adds SSH_AUTHORIZED_USERS to App Platform deploy spec so that
external SSH access works (CI SSH key written to ubuntu's authorized_keys).
@ElanHasson
docs: Update SSH documentation for user-based authorized_keys
88d679e
@ElanHasson
fix: Add static base sshd config file
74c327b
@ElanHasson
fix: Write sshd config dynamically based on SSH_ENABLE
7f0f6f8
@ElanHasson
fix: Add openclaw to localaccess group for SSH wrapper
e7ff9e9
@ElanHasson
Update system-architecture.md
be61174
@ElanHasson
Fix comment punctuation in ssh-tailscale.env
27558b1 
Updated comment to improve clarity.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ssaengs ssaengs Awaiting requested review from ssaengs

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ElanHasson