orchid storm
Whenever I ssh into a tagged device, it will show
tailscale: tailnet policy does not permit you to SSH to this node
Connection closed by 100.xxx.xxx.xx port 22
If the same device is untagged, I can ssh into it normally. My ACL allow all types of connections.
According to the documentation, you can't ssh into a user from a tagged device, but you can ssh into a tagged device from a user — and I'm trying to do the latter.
spice rain
What does your SSH block look like? The default usually doesn't allow logging into tagged devices, however I've had some success with something that looks like:
//allow users on things tagged pc or members of group:admin to SSH into pc nodes
{
"action": "accept",
"src": ["group:admin", "tag:pc"],
"dst": ["tag:pc"],
"users": ["<allowedusershere"],
},
],```I have the default, I'm going to test your ACL.
Which user option do I specify: Match local user with email, autogroup:nonroot or root?
spice rain
Up to your particular security model. In my particular use cases , I'm using an actual user.
I'm the only one that's allowed to access ssh on these hosts, so users winds up to be filled in as "caolle" in my case.
orchid storm
Up to your particular security model. In my particular use cases , I'm using an ...
I figured out that autogroup:nonroot does not work for me, but root does. I thought I was in the terminal as a user and not root
Now I understand that it refers to the user I’ll be logged in as on the device I SSH into. Since I can only run Tailscale with sudo (unless you tweak it), it seems that running sudo tailscale set --ssh made root the active user.
spice rain
That's not been my experience, users can be any that's allowed to login to the system.
orchid storm
That's not been my experience, users can be any that's allowed to login to the s...
I don't know why that isn't working for me. I'm testing with different ACL.
at least I know that I can ssh as any user in the machine if I add both autogroup:nonroot and root
If I add only root, I can only access the root user with root@device, but if I only add autogroup:nonroot or any other user, it won't let me do ssh at all
spice rain
That's interesting
spice rain
What was the light bulb moment?
orchid storm
I was already in the ssh session.
Users are the ones I can log in as on the device I ssh into. I add "maria" in "users", I can do ssh maria@machine given that the user "maria" exists in "machine".