Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why does Tailscale need special handling for SSH?

Tailscale gives you authorized connectivity between hosts, and DNS; won't it be sufficient to run plain sshd?

(If wireguard-key-level auth were sufficient, even rlogin or netcat would be enough, because the transport is encrypted already.)



Tailscale ssh is handling authentication for you so that you do not need to pass around authorized_keys to all hosts. :)

It means you can configure/activate/deactivate peoples access centrally too.


> you do not need to pass around authorized_keys to all hosts.

But now I need to trust these random host keys, instead of a key signed by my SSH CA...


How do you "untrust" a single person's key under this scheme? You would have to visit all of the machines and remove them from the authorized keys file.


Not really, with an SSH CA you’re trusting the CA and not installing individual keys into authorized_keys files.

Anything signed by the SSH CA will work for logins.

To deal with the “untrust” issue it’s normal for operations with an SSH CA to rely on (very) short-lived certificates, meaning often issued and valid for < 24 hours (it’s configurable, I’ve seen this be as short as 30 minutes).

Smallstep wrote a summary here which is pretty good —

https://smallstep.com/blog/use-ssh-certificates/


> To deal with the “untrust” issue it’s normal for operations with an SSH CA to rely on (very) short-lived certificates, meaning often issued and valid for < 24 hours (it’s configurable, I’ve seen this be as short as 30 minutes).

So you want a way to get rid of long-lived SSH certificates, instead authenticating users with your corporate single-sign-on system then issuing them a temporary credential?

And presumably you've got some audit logs, so you know who connected to what, when and why. Perhaps a familiar command line tool, that makes temporary credential rotation easy for users? Perhaps some paperwork to hand to your SOC2 compliance auditors?

I mean, this is sounding a lot like tailscale ssh, teleport, and suchlike...


But even this still requires automation, something that 97% of population don't want to do.


Tailscale doesn't need special handling for SSH. You can run your plain old sshd just fine.

Tailscale comes with an additional SSH server, which runs in parallel with your other SSH server. It does use Wireguard keys directly, so effectively you don't need to manage keys.

Additionally, this SSH server is implemented in userspace, so it won't (can't) interfere with anything else on your system (like your other sshd).


there is no kernel ssh. all ssh’s operate completely in userspace.


Oops, I meant the TCP/IP stack. Tailscale SSH uses a userspace network stack.


From the tool itself:

SSH to a Tailscale machine

USAGE tailscale ssh [user@]<host> [args...]

The 'tailscale ssh' command is an optional wrapper around the system 'ssh' command that's useful in some cases. Tailscale SSH does not require its use; most users running the Tailscale SSH server will prefer to just use the normal 'ssh' command or their normal SSH client.

The 'tailscale ssh' wrapper adds a few things:

* It resolves the destination server name in its arguments using MagicDNS, even if --accept-dns=false.

* It works in userspace-networking mode, by supplying a ProxyCommand to the system 'ssh' command that connects via a pipe through tailscaled.

* It automatically checks the destination server's SSH host key against the node's SSH host key as advertised via the Tailscale coordination server.


It is about using SSO and tagging to auth the users.

So for example you could have instances tagged with {users} that cannot ssh to certain boxes, but other users tagged with {admin} that can. All these users can be part of your tailnet.


Now this explanation makes the most sense.

- Wireguard keys for authentication and encryption.

- Tags for authorization to run a remote shell.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: