Skip to content

fix: status code propagation #172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
x032205 merged 1 commit into from
Apr 9, 2026
Merged

fix: status code propagation #172

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 24 additions & 8 deletions packages/pam/handlers/ssh/proxy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,26 +241,42 @@ func (p *SSHProxy) handleChannel(ctx context.Context, newChannel ssh.NewChannel,
p.handleChannelRequests(serverRequests, clientChannel, sessionID, channelType, chState)
}()

// Proxy data bidirectionally with logging
errChan := make(chan error, 2)
clientToServerDone := make(chan error, 1)
serverToClientDone := make(chan error, 1)

// Client to Server
go func() {
err := p.proxyData(clientChannel, serverChannel, "client→server", sessionID, true, chState)
errChan <- err
// Send EOF so the remote process exits and delivers exit-status.
serverChannel.CloseWrite() //nolint:errcheck
clientToServerDone <- err
}()

// Server to Client
go func() {
err := p.proxyData(serverChannel, clientChannel, "server→client", sessionID, false, chState)
errChan <- err
serverToClientDone <- err
}()

// Wait for either direction to finish or context cancellation
// When client→server finishes first (SCP), wait for server→client to deliver
// the response. When server→client finishes first (exec), proceed immediately
// since the client→server goroutine may be blocked on stdin that never arrives.
select {
case err := <-errChan:
case err := <-clientToServerDone:
if err != nil && err != io.EOF {
log.Debug().Err(err).Str("sessionID", sessionID).Msg("Channel proxy error")
log.Debug().Err(err).Str("sessionID", sessionID).Msg("client→server proxy error")
}
select {
case err := <-serverToClientDone:
if err != nil && err != io.EOF {
log.Debug().Err(err).Str("sessionID", sessionID).Msg("server→client proxy error")
}
case <-time.After(3 * time.Second):
case <-ctx.Done():
}
case err := <-serverToClientDone:
if err != nil && err != io.EOF {
log.Debug().Err(err).Str("sessionID", sessionID).Msg("server→client proxy error")
}
Comment thread
sheensantoscapadngan marked this conversation as resolved.
case <-ctx.Done():
log.Info().Str("sessionID", sessionID).Msg("Channel cancelled by context")
Expand All @@ -269,7 +285,7 @@ func (p *SSHProxy) handleChannel(ctx context.Context, newChannel ssh.NewChannel,
// Brief window for exit-status to be forwarded before channel teardown.
select {
case <-serverReqDone:
case <-time.After(500 * time.Millisecond):
case <-time.After(3 * time.Second):
Comment thread
x032205 marked this conversation as resolved.
}
clientChannel.Close()
serverChannel.Close()
Expand Down
Loading