Understanding Tailscale SSH and ACL

frankyyy · June 5, 2023, 9:53pm

Hi there

I am testing Tailscale SSH across a small number of hosts as a better option to streamline some processes. My setup it as follows:

Have a group GroupA with multiple users - User1, User2 for example
Test SSH servers on the Talent in tag group - ServersGroupA
Each server has non-root local accounts - user1 and user2

{
	"action":      "check"
	"src":         ["group:GroupA"],
	"dst":         ["tag:ServersGroupA"],
	"users":       ["user1", "user2"],
	"checkPeriod": "1h"
},

I suspect i may be missing something as in the current setup, any user of GroupA can authenticate as user1 or user2. This makes sense to me from a configuration perspective however, what i am looking to do is to ensure user1 can only authenticate as user1 and not user2. In the current setup, as long as the users are listed in users, i can authenticate as any given the src group.

Looking at the docs it’s not immediately clear to me how to configure this way. Maybe i’ve totally missed it though, and apologies in advance if so.

h4ux · June 9, 2023, 6:33pm

Well, users does not reffing to tailscale users as far as I remember but to Linux machines users.
To achieve what you are looking for you’ll have to create 2 groups and have the user that should gain access.
Something like GroupAuser1 and GroupAuser2 with corresponding users in users array.
You can also create another group called GroupA that will include both groups for other purposes.

Topic		Replies	Views
Group based named SSH access ACL (Access Control Lists)	0	477	July 7, 2022
Permission denied (tailscale) SUPPORT QUESTIONS	6	8036	October 3, 2022
Best practices for servers ACL (Access Control Lists)	4	893	May 6, 2022
OAuth Client and GitHub Actions fails with "user does not have access to this operation" SUPPORT QUESTIONS	0	578	July 15, 2023
"no associated IPs for user" SUPPORT QUESTIONS	4	673	September 18, 2021

Understanding Tailscale SSH and ACL

Related Topics