🐛 BUG: ssh "invalid flag" help output goes to stderr

[shish]

What version of nebula are you using?

1.6.1

What operating system are you using?

mac

Describe the Bug

ssh into nebula

print-cert -help: see the help output over the ssh connection, as expected

print-cert --help: help output goes to the daemon's stderr (not expected), and the ssh output shows the current host's certificate (not expected)

Logs from affected hosts

No response

Config files from affected hosts

No response

[brad-defined]

The help output goes to stderr, not stdout. It does so because flag.Parse(), used to parse the SSH command, calls flag.Usage() on a parse error. (You can cause this same behavior by providing any SSH command that fails to parse, like print-cert -blahblah)

We could modify flag.Usage() to not print help to stderr on parse failures. But this is a global function, so that would also affect the behavior of other flag error handling in Nebula, like the ./nebula command itself, or in any program that embeds this code.

-EDIT- @JohnMaguire told me that one can edit the Usage() function of a FlagSet struct, which will enable us to control this behavior in just the SSH server code. That looks like a solid plan for this one. https://pkg.go.dev/flag#FlagSet