From 50b04413c757fe7b4ad48e6b598e9607873981f5 Mon Sep 17 00:00:00 2001
From: forfuncsake <drussell@slack-corp.com>
Date: Tue, 15 Sep 2020 23:57:32 +1000
Subject: [PATCH] Block nebula ssh server from listening on port 22 (#266)

Port 22 is blocked as a safety mechanism. In a case where nebula is
started before sshd, a system may be rendered unreachable if nebula
is holding the system ssh port and there is no other connectivity.

This commit enforces the restriction, which could previously be worked
around by listening on an IPv6 address, e.g.  "[::]:22".
---
 ssh.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/ssh.go b/ssh.go
index 2c071c2..03e8422 100644
--- a/ssh.go
+++ b/ssh.go
@@ -66,10 +66,11 @@ func configSSH(ssh *sshd.SSHServer, c *Config) error {
 		return fmt.Errorf("sshd.listen must be provided")
 	}
 
-	port := strings.Split(listen, ":")
-	if len(port) < 2 {
-		return fmt.Errorf("sshd.listen does not have a port")
-	} else if port[1] == "22" {
+	_, port, err := net.SplitHostPort(listen)
+	if err != nil {
+		return fmt.Errorf("invalid sshd.listen address: %s", err)
+	}
+	if port == "22" {
 		return fmt.Errorf("sshd.listen can not use port 22")
 	}