Dear Tailscale support
I have read the announcement of Tailscale SSH with great interest, but I am a bit worried about something… the SSH information in the docs states that:
An SSH access rule can also specify
autogroup:nonrootto allow any user that is notroot. If no user is specified, Tailscale will use the local host’s user. That is, if I am logged in asalicelocally, then SSH to another device, Tailscale SSH will try to log in as useralice. Like other SSH clients, Tailscale will only use user accounts that already exist on the host, not create new accounts.
What prevents our users (all admins on their local machines) to create an extra local user named ‘mycolleage’, and then SSH-ing into a server with their colleagues account? Wouldn’t it make more sense to use the first part of their tailscale account name (username@domain.com) in order to assume an identity? At least that would match the already verified corporate identity, and not the identity that the user configured himself locally?
I hope I missed something here 
Thanks in advance for your response!