Add SSH ACL support #847
Add SSH ACL support #847
Conversation
| return rules, nil | ||
| } | ||
|
|
||
| func sshCheckAction(duration string) (*tailcfg.SSHAction, error) { |
There was a problem hiding this comment.
We should make similar constructor functions for the accept and reject actions as well.
There was a problem hiding this comment.
I think this looks like sensible work on this feature, I have not worked too much on the ACLs and our coverage of the feature and unit tests are good, but it suffers from the problem of testing "our interpretation" of how it should work.
My main concern with this is that if we get it wrong, and users start relying on that, we have a hard time fixing it. With things like SSH, the worst possible scenario is that someone lock themselves out from a machine.
As mentioned in Discord, integration tests would make a lot of sense for this feature, so we have the opportunity to actually verify that the client does what we expect and intend. I am not sure if Tailscale SSH will play nicely in Docker, but I think it is worth a shot.
I don't want to block this feature, the question is, how should we roll it out to minimise the impact if we get something wrong? (This hesitant approach comes from the Namespace/User/Tailnet issue we had earlier)
evenh
force-pushed
the
ssh-support
branch
2 times, most recently
from
088ea4c to
82f1e5d
Compare
|
@kradalby maybe put it behind a feature toggle to let users know that the feature is experimental for now? |
juanfont
force-pushed
the
ssh-support
branch
from
82f1e5d to
70b6139
Compare
|
Progress update: This is looking good, we are missing a few more test cases and @evenh and I have figured that we at least want:
I think that should be sufficient to call it beta and add more tests later as we find broken behaviour. |
kradalby
force-pushed
the
ssh-support
branch
from
09403e4 to
5fe8b8f
Compare
evenh
force-pushed
the
ssh-support
branch
2 times, most recently
from
71d1f7a to
f48abd1
Compare
Advertises the SSH capability, and parses the SSH ACLs to pass to the tailscale client. Doesn’t support ‘autogroup’ ACL functionality. Co-authored-by: Daniel Brooks <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
This commit makes the initial SSH test a bit simpler: - Use the same pattern/functions for all clients as other tests - Only test within _one_ namespace/user to confirm the base case - Use retry function, same as taildrop, there is some funky going on there... Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
|
@juanfont should the ssh "check" feature in ACLs work? I never seems to be getting the |
Based on the fork of @db48x from #661. Doesn’t support the ‘autogroup’ ACL functionality.
This ACL works for us (formatted slightly for readability)
{ "acls":[{ "action":"accept", "src":["group:employees"], "dst":["tag:proxy:*"] } ], "hosts":{}, "groups":{ "group:employees":[ "john.doe", "jane.doe" ], "group:proxy":[ "mycorp" ] }, "tagOwners":{ "tag:proxy":[ "group:proxy" ] }, "ssh":[ { "action":"check", "src":["group:employees"], "dst":["tag:proxy"], "users":["some-allowlisted-user"], "checkPeriod":"8h" } ], "disableIPv4":false, "randomizeClientPort":false }