New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSH support to ACLs #661
Comments
Hi @GrigoriyMikhalkin, I am looking at it already - but want to merge some big stuff before. But feel free to try :) |
Advertises the SSH capability, and (incompletely) parses the SSH ACLs to pass to the tailscale client. Doesn’t support most of the ACL features yet, just very basic “accept” rules. Will fix juanfont#661 once it is finished.
I started on implementing this, but have not yet had a chance to test it. It is at least good enough to let |
@617a7a I'll look into it as soon as we have the new protocol fully working |
@db48x tried the code from your fork, and I can't seem to get it to work even with ACLs explicitly specified, for example, my ACL configuration has: {
"groups": {
"group:example": [
"example" // Namespace
]
},
"hosts": {
"client": "100.64.0.2"
},
"acls": [
{
"action": "accept",
"src": ["*"],
"dst": ["*:*"]
}
],
"ssh": [
{
"action": "accept",
"src": ["autogroup:members"],
"dst": ["client"],
"users": ["autogroup:nonroot"]
}
]
} and when I try to connect to the
Let me know if there's anything else you need from me to make this work. Will be more than happy to be of help. Thanks a lot. |
The |
Ah, was unaware, the acl docs link to the tailscale website. It even does not work with |
Yes, my implementation is marked as a WIP for a reason. :) My commit message probably should have been more explicit though; I got just far enough along to get tailscale to connect and no further. If you look at the relevant portion of my commit, you will see that I don’t handle wildcards or any form of group or tag. It will only work with explicit source and destination addresses, as well as explicit user names. I’ve not yet been afforded any time to continue working on it, but if all goes well then I can sneak in some work on it this coming Friday. Really, the work to support tags and group names is not that difficult; any one of you could probably do it. You just have to look up the tag/group name in Headscale’s list of such and put the corresponding list of explicit addresses or user names into the |
SSH support is now implemented as part of the Policy packaged during the codereorg. |
Does this include |
No, not yet, that is tracked separately in #657. |
Feature request
Tailscale introduced Tailscale SSH feature, which allows to manage SSH connections as part of tailnet. In particular, user can control SSH access via ACLs. There's new field for that called
ssh
and here is an example of such config:Would be great to see support for that in
headscale
. I would gladly try to help to implement this if this is ok.The text was updated successfully, but these errors were encountered: