Understanding Tailscale SSH and ACL

Hi there

I am testing Tailscale SSH across a small number of hosts as a better option to streamline some processes. My setup it as follows:

  • Have a group GroupA with multiple users - User1, User2 for example
  • Test SSH servers on the Talent in tag group - ServersGroupA
  • Each server has non-root local accounts - user1 and user2
	"action":      "check"
	"src":         ["group:GroupA"],
	"dst":         ["tag:ServersGroupA"],
	"users":       ["user1", "user2"],
	"checkPeriod": "1h"

I suspect i may be missing something as in the current setup, any user of GroupA can authenticate as user1 or user2. This makes sense to me from a configuration perspective however, what i am looking to do is to ensure user1 can only authenticate as user1 and not user2. In the current setup, as long as the users are listed in users, i can authenticate as any given the src group.

Looking at the docs it’s not immediately clear to me how to configure this way. Maybe i’ve totally missed it though, and apologies in advance if so.

Well, users does not reffing to tailscale users as far as I remember but to Linux machines users.
To achieve what you are looking for you’ll have to create 2 groups and have the user that should gain access.
Something like GroupAuser1 and GroupAuser2 with corresponding users in users array.
You can also create another group called GroupA that will include both groups for other purposes.