feat: add SSH settings for device and namespace

[henrybarreto]

Add allow-based SSH settings for both namespace and device configuration, update the backend migrations and auth flow, and wire the React console to edit the new settings consistently.

Closes #6136

---

Namespace's settings:

Device's settings:

[github-actions]

Claude finished @henrybarreto's task in 7m 11s —— View job

---

Code Review Complete

Reviewed 28 files. 6 inline issues posted (2 critical, 2 high, 2 medium).

Critical: Cloud compilation breakage (non-inlinable)

DeviceIsOnline and DeviceOnlineThreshold were removed from api/store/pg/device.go, but cloud/pkg/store/pg/session.go still references both symbols via the shpg import alias (lines 220, 258, 262). This will cause a compilation failure in the cloud repo. These removals appear unrelated to the disable password/public key feature — either restore them or submit a companion cloud PR first.

Additional notes

• This PR includes several unrelated changes mixed into the same commit: removal of DeviceIsOnline/DeviceOnlineThreshold, removal of fromLt filter, session online check removals, CLI refactoring, and UUID mock changes. Consider splitting these into separate commits or PRs.
• Missing migration test: migration_121_test.go does not exist, while virtually every other migration (1–120) has one. Consider adding it following the existing pattern.

---

If you've addressed the feedback and want a new review, tag @shellhub-io/admin and a team member can trigger it.

[gustavosbarreto]

/review

[github-actions]

Claude finished @gustavosbarreto's task in 7m 6s —— View job

---

Code Review Complete

Reviewed 32 files. 2 inline issues posted (1 critical, 1 high).

Critical: Auth method restriction bypass via SSH fallback

The DisablePassword/DisablePublicKey checks in Evaluate() are only called when the session state is StateEvaluated (session.go:650). When an SSH client's first auth method passes Evaluate() and register() but fails at connect(), the state is already saved as StateRegistered. On fallback to a second auth method, Auth() enters the StateRegistered case directly, skipping Evaluate() entirely. This allows bypassing disable_password by first attempting (and failing) public key auth, then falling back to password — the DisablePassword check never runs. See inline comment for details and fix.

Additional notes

• Cloud admin NamespaceUpdate silently drops new settings: cloud/internal/admin/services/namespace.go:68-71 copies settings fields individually (SessionRecord, ConnectionAnnouncement) but does not copy the new DisablePassword/DisablePublicKey fields. When an admin updates a namespace through the cloud admin service, these settings will be silently reset to false. A companion cloud change is needed.

• Previous review findings still open: The critical bson:"omitempty" bug on boolean fields (pkg/models/namespace.go:54-55) and the disable_public_key not being handled in the terminal login form (ui/src/components/Terminal/TerminalLoginForm.vue) from the prior review remain unaddressed.

---

If you've addressed the feedback and want a new review, tag @shellhub-io/admin and a team member can trigger it.

[github-actions]

Critical: DisablePublicKey check can be bypassed via SSH auth method fallback

This Evaluate() check and the corresponding DisablePassword check in passwordAuth.Evaluate() are only called from Auth() in session.go when the session state is StateEvaluated (line 650). When the first auth method (e.g., public key) passes Evaluate() and register(), the state advances to StateRegistered (line 658) before connect() runs. If connect() then fails (unauthorized key), the state remains StateRegistered. When the SSH client falls back to a second auth method (e.g., password), Auth() enters the StateRegistered case directly, completely skipping auth.Evaluate().

Attack scenario: Admin sets disable_password: true. An attacker with no authorized key: (1) attempts public key auth — Evaluate() passes (public key not disabled), register() succeeds → state becomes StateRegistered, connect() fails; (2) falls back to password auth — enters StateRegistered, passwordAuth.Evaluate() is never called, DisablePassword check is bypassed, password is forwarded to the agent. Same bypass works in reverse for disable_public_key.

Fix: In session.go Auth() method, move the auth.Evaluate(sess) call before the switch state block so it runs on every authentication attempt regardless of cached session state.

Fix this →