[client,management] Rewrite the SSH feature

client/android/client.go

@@ -17,9 +17,9 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/client/net"
 )
 
 // ConnectionListener export internal Listener for mobile

client/android/preferences.go

@@ -201,6 +201,94 @@ func (p *Preferences) SetServerSSHAllowed(allowed bool) {
 	p.configInput.ServerSSHAllowed = &allowed
 }
 
+// GetEnableSSHRoot reads SSH root login setting from config file
+func (p *Preferences) GetEnableSSHRoot() (bool, error) {
+	if p.configInput.EnableSSHRoot != nil {
+		return *p.configInput.EnableSSHRoot, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHRoot == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHRoot, err
+}
+
+// SetEnableSSHRoot stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHRoot(enabled bool) {
+	p.configInput.EnableSSHRoot = &enabled
+}
+
+// GetEnableSSHSFTP reads SSH SFTP setting from config file
+func (p *Preferences) GetEnableSSHSFTP() (bool, error) {
+	if p.configInput.EnableSSHSFTP != nil {
+		return *p.configInput.EnableSSHSFTP, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHSFTP == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHSFTP, err
+}
+
+// SetEnableSSHSFTP stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHSFTP(enabled bool) {
+	p.configInput.EnableSSHSFTP = &enabled
+}
+
+// GetEnableSSHLocalPortForwarding reads SSH local port forwarding setting from config file
+func (p *Preferences) GetEnableSSHLocalPortForwarding() (bool, error) {
+	if p.configInput.EnableSSHLocalPortForwarding != nil {
+		return *p.configInput.EnableSSHLocalPortForwarding, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHLocalPortForwarding == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHLocalPortForwarding, err
+}
+
+// SetEnableSSHLocalPortForwarding stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHLocalPortForwarding(enabled bool) {
+	p.configInput.EnableSSHLocalPortForwarding = &enabled
+}
+
+// GetEnableSSHRemotePortForwarding reads SSH remote port forwarding setting from config file
+func (p *Preferences) GetEnableSSHRemotePortForwarding() (bool, error) {
+	if p.configInput.EnableSSHRemotePortForwarding != nil {
+		return *p.configInput.EnableSSHRemotePortForwarding, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHRemotePortForwarding == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHRemotePortForwarding, err
+}
+
+// SetEnableSSHRemotePortForwarding stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHRemotePortForwarding(enabled bool) {
+	p.configInput.EnableSSHRemotePortForwarding = &enabled
+}
+
 // GetBlockInbound reads block inbound setting from config file
 func (p *Preferences) GetBlockInbound() (bool, error) {
 	if p.configInput.BlockInbound != nil {

client/cmd/root.go

@@ -35,7 +35,6 @@ const (
 	wireguardPortFlag        = "wireguard-port"
 	networkMonitorFlag       = "network-monitor"
 	disableAutoConnectFlag   = "disable-auto-connect"
-	serverSSHAllowedFlag     = "allow-server-ssh"
 	extraIFaceBlackListFlag  = "extra-iface-blacklist"
 	dnsRouteIntervalFlag     = "dns-router-interval"
 	enableLazyConnectionFlag = "enable-lazy-connection"
@@ -64,7 +63,6 @@ var (
 	customDNSAddress        string
 	rosenpassEnabled        bool
 	rosenpassPermissive     bool
-	serverSSHAllowed        bool
 	interfaceName           string
 	wireguardPort           uint16
 	networkMonitor          bool
@@ -176,7 +174,6 @@ func init() {
 	)
 	upCmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "[Experimental] Enable Rosenpass feature. If enabled, the connection will be post-quantum secured via Rosenpass.")
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
-	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
 	upCmd.PersistentFlags().BoolVar(&lazyConnEnabled, enableLazyConnectionFlag, false, "[Experimental] Enable the lazy connection feature. If enabled, the client will establish connections on-demand. Note: this setting may be overridden by management configuration.")