Hacked up a little #golang ssh server for @Tailscale so you can ssh to a server without passwords or ssh keys. Only using network identity. (github.com/gliderlabs/ssh is still dope, @progrium!) We'd talked about it longer than it took to write. Of course, unknown% done.

And released: godoc.org/tailscale.com/… Use with care.

The internet has poisoned my brain which can only think "cat can hack little a golang ssh server? as a treat?"

To be fair, it lacks any security at all. That's the hard part. If we figure out a good way to use Tailscale's security model in apps like this, hopefully we can auto-apply it to any app. Apps *should* be this easy to write because the security was handled for you.

Lacks any security? I'd argue it's pretty reasonable as-is for allowing users in our domain (== users on our virtual network) to access servers on that network. Yes, we could/should go wild on user mapping, RBAC, but this ain't terrible for opt-in cases like ours.

Well, it doesn't yet bind its port to the tailscale interface, and if we ran it from tailscaled by default, any user in our domain could log into any machine as any local user. Plus opt-in security flags are dangerous because people rarely understand the consequences.

I don't need to go completely nuts with RBAC or anything, but I want something safe enough that we can turn it on by default. Right now its security level is "rlogin for VPNs, with a wildcard in /etc/rhosts" which is, uh, not quite right :)

I fully expect it's only a day or two of work to meet my "enabled by default" criteria though. That's still pretty sweet.

Also, don't get me wrong, a world where we can make "rlogin for VPNs" actually safe as a concept is awfully exciting to me. That's a world where we enable fundamentally new (or old?) ways of developing software.

Binds now:

While a neat idea...it does make me take pause since it then fully places all your eggs in the tailscale never being compromised basket. Right now, even if tailscale is compromised, it’s likely no worse than coffeshop WiFi in terms of risks.

Hmm, you’re making me realize this is a nice security model for folks running jupyterhub on k8s where they want to add on other auth’d services too

Neat.. I was wondering about similar things.. but my question got lost in thre thread.. news.ycombinator.com/item?id=221958…

We've discussed various sorts of ident-like lookup servers, to map from IP to key/identity. There might be several flavors.

Client certs?

I guess that’s basically an ssh key

Yeah. Every IP packet on a Tailscale (WireGuard) network has a cryptographic identity associated with it, so we already know the WireGuard public key for connections.

whoa cool

This sounds a lot more secure than having ssh keys where the keys are passed around in groups.

Haha, identd. I must have missed that part of the conversation but of course it’s exactly right.

That's more for fancy centralized policy generation. What we're talking about here is a trivial interface on localhost where you can go "yo, got a connection from 100.101.102.103, who's that" and it replies "that's services@tailscale.com on hello.ipn.dev"

Would definitely be interesting to expose a policy endpoint as well, for enterprise users!

Does that represent a security issue in cases of BGP hijacking?

Nope. https://t.co/L4WWESJ29t twitter.com/bradfitz/statu…

It's end to end encrypted.

Any plan to join github.com/drakkan/sftpgo and add ssh into that server?