fix(ssh): gate verbose SSH debug logging behind ssh.debug config flag

Author: fabiovincenzi

config.schema.json

@@ -394,6 +394,11 @@
         "agentForwardingErrorMessage": {
           "type": "string",
           "description": "Custom error message shown when SSH agent forwarding is not enabled or no keys are loaded in the client's SSH agent. If not specified, a default message with git config commands will be shown. This allows organizations to customize instructions based on their security policies."
+        },
+        "debug": {
+          "type": "boolean",
+          "description": "Enable verbose SSH protocol debug logging (both for the local SSH server and for outbound connections to remote Git servers). Emits one log line per SSH packet, so leave disabled in production.",
+          "default": false
         }
       },
       "required": ["enabled"]

src/config/generated/config.ts

@@ -558,6 +558,12 @@ export interface SSH {
    * security policies.
    */
   agentForwardingErrorMessage?: string;
+  /**
+   * Enable verbose SSH protocol debug logging (both for the local SSH server and for outbound
+   * connections to remote Git servers). Emits one log line per SSH packet, so leave disabled
+   * in production.
+   */
+  debug?: boolean;
   /**
    * Enable SSH proxy server. When enabled, clients can connect via SSH and the proxy will
    * forward their SSH agent to authenticate with remote Git servers.
@@ -1008,6 +1014,7 @@ const typeMap: any = {
         js: 'agentForwardingErrorMessage',
         typ: u(undefined, ''),
       },
+      { json: 'debug', js: 'debug', typ: u(undefined, true) },
       { json: 'enabled', js: 'enabled', typ: true },
       { json: 'port', js: 'port', typ: u(undefined, 3.14) },
     ],

src/proxy/ssh/GitProtocol.ts

@@ -28,6 +28,11 @@ import * as ssh2 from 'ssh2';
 import { ClientWithUser } from './types';
 import { validateSSHPrerequisites, createSSHConnectionOptions } from './sshHelpers';
 import { parsePacketLines } from '../processors/pktLineParser';
+import { getSSHConfig } from '../../config';
+
+function isDebugEnabled(): boolean {
+  return getSSHConfig()?.debug === true;
+}
 
 /**
  * Parser for Git pkt-line protocol
@@ -285,7 +290,7 @@ export async function forwardPackDataToRemote(
     command,
     client,
     remoteHost,
-    { clientStream: stream, debug: true, keepalive: true },
+    { clientStream: stream, debug: isDebugEnabled(), keepalive: true },
     (remoteStream) => {
       console.log(`[SSH] Forwarding pack data for user ${userName}`);
 
@@ -345,7 +350,7 @@ export async function connectToRemoteGitServer(
     remoteHost,
     {
       clientStream: stream,
-      debug: true,
+      debug: isDebugEnabled(),
       keepalive: true,
       requireAgentForwarding: true,
     },

src/proxy/ssh/server.ts

@@ -59,11 +59,14 @@ export class SSHServer {
       keepaliveInterval: 20000, // 20 seconds is recommended for SSH connections
       keepaliveCountMax: 5, // Recommended for SSH connections is 3-5 attempts
       readyTimeout: 30000, // Longer ready timeout
-      debug: (msg: string) => {
-        console.debug('[SSH Debug]', msg);
-      },
     };
 
+    if (sshConfig.debug) {
+      serverOptions.debug = (msg: string) => {
+        console.debug('[SSH Debug]', msg);
+      };
+    }
+
     this.server = new ssh2.Server(
       serverOptions as any, // ssh2 types don't fully match our extended interface
       (client: ssh2.Connection, info: any) => {