FR: tailscale ssh should either support port forwarding or explicitly state it doesn't #6575
Comments
bradfitz
added
the
ssh
DentonGentry
added
L3 Some users
|
I would be very interested in this feature also. My first thought when I saw exit nodes was that this would be possible and after fiddling with that I saw the SSH only to be confused when that wasn't working too. |
|
SSH port forwarding is supported and does work. We have fixed a number of issues from the launch, notably #5091 We also need to make port forwarding work with unix domain sockets, for GPG to work #6232 As this issue appears to have been intended as, motivation I guess, I'm going to close it. Specific issues regarding specific problems should be filed as new bugs. |
|
@DentonGentry at least in one case, this still doesn't work, hence I would love for the documentation to reflect what is working, what is not, and what the plan is. Two hosts; Athena, running the latest tailscale client, and zeus, running the latest tailscale server with tailscale ssh enabled (as the only ssh server). lkosewsk@Athena:~$ ssh -R8027:localhost:8027 zeus
420 updates can be applied immediately. Last login: Thu Jun 8 09:26:32 PDT 2023 from 100.92.101.50 on pts/2 Please advise. |
|
We need a |
|
@DentonGentry ran it with --diagnose - BUG-5192890acccc92cb2c2a49ea035ddbf3b7acc24ddd31bf11b8172e02c7cfbaaa-20230608234022Z-405a202793032ea7 Please advise what else I can do to help. |
This basically allows running services on the SSH client and reaching them from the SSH server during the session. Updates #6575 Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
Currently Tailscale SSH does not support reverse port forwarding, I just sent #8313 to add support. |
This basically allows running services on the SSH client and reaching them from the SSH server during the session. Updates #6575 Signed-off-by: Maisem Ali <maisem@tailscale.com>
This basically allows running services on the SSH client and reaching them from the SSH server during the session. Updates #6575 Signed-off-by: Maisem Ali <maisem@tailscale.com>
This basically allows running services on the SSH client and reaching them from the SSH server during the session. Updates #6575 Signed-off-by: Maisem Ali <maisem@tailscale.com>
This basically allows running services on the SSH client and reaching them from the SSH server during the session. Updates #6575 Signed-off-by: Maisem Ali <maisem@tailscale.com>
|
@DentonGentry you can close this out, it's merged in v1.44.0 and works for me. Thanks, team! |
|
Based on #8313 (comment) |
What are you trying to do?
No documentation exists on the state of port forwarding using tailscale ssh, although empirically, it doesn't work. I'm not the only one to notice: https://forum.tailscale.com/t/does-port-forwarding-work-with-tailscale-ssh/2664
I can't find documentation to any effect on the matter, so I'd like to either understand if this feature is on the roadmap, to-be-added to the roadmap, or if its continued omission is intentional and planned.
How should we solve this?
Ideally, it would work just like normal SSH port forwarding.
For example, given a host XXX running tailscale which we're connecting to and want to create a tunnel from back to our own host (YYY), I would expect the following interaction:
Today, I get:
Do I have good ideas for how to make that happen? Sadly, no, if I could simply bang out the implementation myself in 10 minutes I assure you I would have :)
But I don't need it solved today, I'd simply like to know if it will ever be solved, and when it's planned if so.
What is the impact of not solving this?
Machines that facilitate SSH port forwarding fall into two categories; clients (that initiate the ssh command) and servers (that are running ssh, or tailscale ssh in this case). The former simply requires ssh installed; tailscale ssh doesn't support the "-L" or "-R" flags commonly used to trigger the feature.
The latter is a tad more annoying, as the server machine needs to run its own ssh server (not via tailscale) which requires making sure that it's secure (no root-access users with simple passwords) and that everyone connecting to it has not only tailscale credentials (which you manage for us and it's effective and easy) but the traditional mechanisms of ssh authentication (passwords - ewwww, SSH keys that I have to manually rotate once in a while -uuuggggggghhh).
In practice it's a minor nuisance because these are not machines where their ssh-enabled interfaces are public facing. However, I can see someone running purely in the cloud who may have security exposure as a result of this workaround.
Anything else?
No response
The text was updated successfully, but these errors were encountered: