Add SSH support to ACLs

[GrigoriyMikhalkin]

Feature request

Tailscale introduced Tailscale SSH feature, which allows to manage SSH connections as part of tailnet. In particular, user can control SSH access via ACLs. There's new field for that called ssh and here is an example of such config:

{
  "acls": [
    {
      "action": "accept",
      "src": ["*"],
      "dst": ["*:*"]
    }
  ],
  "ssh": [
    {
      "action": "accept",
      "src": ["autogroup:members"],
      "dst": ["autogroup:self"],
      "users": ["root", "autogroup:nonroot"]
    }
  ]
}

Would be great to see support for that in headscale. I would gladly try to help to implement this if this is ok.

[juanfont]

Hi @GrigoriyMikhalkin, I am looking at it already - but want to merge some big stuff before.

But feel free to try :)

[db48x]

I started on implementing this, but have not yet had a chance to test it. It is at least good enough to let tailscale up --ssh work as long as there is an explicit ACL, so presumably tailscale ssh will work as well. I’ll see if I can make time to test it this coming week, and perhaps continue the work if nobody beats me to it.

[617a7aa]

@db48x @juanfont any updates on this? this is a pretty important setup step for us to use - happy to sponsor it if that means it gets added faster :)

[juanfont]

@617a7a I'll look into it as soon as we have the new protocol fully working

[Thunderbottom]

@db48x tried the code from your fork, and I can't seem to get it to work even with ACLs explicitly specified, for example, my ACL configuration has:

{
	"groups": {
		"group:example": [
			"example"  // Namespace
		]
	},
	"hosts": {
		"client": "100.64.0.2"
	},
	"acls": [
		{
			"action": "accept",
			"src": ["*"],
			"dst": ["*:*"]
		}
	],
	"ssh": [
		{
			"action": "accept",
			"src": ["autogroup:members"],
			"dst": ["client"],
			"users": ["autogroup:nonroot"]
		}

	]
}

and when I try to connect to the client host with tailscale ssh, I get permission denied (tailscale). Is the current implementation lacking something? If it helps, the logs show me this:

2022-09-16T17:15:16+05:30 TRC ACL rules generated ACL=[{"DstPorts":[{"Bits":null,"IP":"*","Ports
":{"First":0,"Last":65535}}],"IPProto":[1,58,6,17],"SrcIPs":["*"]}]                             
2022-09-16T17:15:16+05:30 TRC SSH rules generated SSH=[{"action":{"accept":true,"allowLocalPortF
orwarding":true},"principals":[{"userLogin":"autogroup:members"}],"sshUsers":{"autogroup:nonroot
":"="}}] 

Let me know if there's anything else you need from me to make this work. Will be more than happy to be of help. Thanks a lot.

[restanrm]

The autogroup feature is not supported yet, so I don't think you're ACL file can work at all.

[Thunderbottom]

Ah, was unaware, the acl docs link to the tailscale website. It even does not work with * as the src. Would it only work with a specified IP/group name?

[db48x]

Yes, my implementation is marked as a WIP for a reason. :)

My commit message probably should have been more explicit though; I got just far enough along to get tailscale to connect and no further. If you look at the relevant portion of my commit, you will see that I don’t handle wildcards or any form of group or tag. It will only work with explicit source and destination addresses, as well as explicit user names.

I’ve not yet been afforded any time to continue working on it, but if all goes well then I can sneak in some work on it this coming Friday. Really, the work to support tags and group names is not that difficult; any one of you could probably do it. You just have to look up the tag/group name in Headscale’s list of such and put the corresponding list of explicit addresses or user names into the SSHRules that get built.

[kradalby]

SSH support is now implemented as part of the Policy packaged during the codereorg.

[vbrandl]

SSH support is now implemented as part of the Policy packaged during the codereorg.

Does this include autogroup?

[kradalby]

No, not yet, that is tracked separately in #657.