Hacker News Re-Imagined

Tailscale SSH

  • 759 points
  • 14 days ago

  • @ignoramous
  • Created a post

Tailscale SSH


@jgeralnik 14 days

Replying to @ignoramous 🎙

So @bradfitz when are you releasing https://tailscale.com/connect/ for real? :)

Context for the uninitiated - as a crazy idea on the podcast Security Cryptography Whatever (hosted by tptacek and others less well known on HN) Avery and Brad of tailscale imagined an ssh client in the browser with QR code authentication to SSO to allow you to connect to your tailscale network (over tailscale SSH) from untrusted computers such as internet cafes. (Or mostly untrusted - safe from keyloggers but maybe not from a dedicated active malware that injects into your browser and tries to inject secret commands into your ssh session).

I created a silly PoC here (video instead of link because don't try it for real) https://twitter.com/jgeralnik/status/1487913797155233798 back when tailscale ssh was a secret binary in the tailscale github repo

Reply


@l30n4da5 14 days

Replying to @ignoramous 🎙

my first thought is that this seems less secure than using a private ssh key and locking your machine down to only that ssh key.

you're essentially using google as your machine login, which seems like weaker security, imo.

edit: I'll caveat this and say, I think Tailscale is fantastic! I've been using it personally on my machines for a few months now, and it is awesome.

Reply


@nmiculinic 13 days

Replying to @ignoramous 🎙

This is pretty awesome! At my workplace we're using tailscale, and it's been mostly good experience. There were some hickups (like tokens expiring without sending any notification email), though all in all much better then alternatives.

Reply


@jasonlotito 14 days

Replying to @ignoramous 🎙

If I have to use a browser to make use of this (which the demo shows), I never want to use it. It's like the abomination of Okta and Luminate. Absolutely horrible UX.

Nope. Will fight very hard to avoid ever having to use this.

Antagonistic toward developers at best.

Reply


@ngcc_hk 14 days

Replying to @ignoramous 🎙

There is a reason why in a corp you need to install certain kind of ai network sniffer to get this underlying network traffic to surface. Be worked on network security and it is just hard to work in a network which you cannot see I think. The bypass is a success and it is not even free (price wise it seems). Crazy.

Reply


@sandstrom 14 days

Replying to @ignoramous 🎙

Good! Boundary (https://www.boundaryproject.io/) by Hashicorp needs some healthy competition.

Teleport is also a tool in this space, for those looking for alternatives.

Reply


@bradfitz 14 days

Replying to @ignoramous 🎙

I'm one of the authors of this. Happy to answer any questions.

One of the fun technical details is that, when enabled on a machine (tailscale up --ssh), the userspace tailscaled process takes over all TCP port 22 packets after the WireGuard decryption and doesn't even feed them into the kernel over TUN. We use gVisor's netstack to handle the TCP connections in-process.

So it doesn't matter whether you have other processes (or iptables rules, etc) that would prevent the Tailscale SSH server from binding to port 22. This lets people gradually use Tailscale SSH over time without messing with their system one.

The Tailscale SSH server currently only runs on Linux but there's support in git main for macOS too but it's not super well tested yet and not included in the sandboxed GUI builds currently.

Reply


@jamiegreen 13 days

Replying to @ignoramous 🎙

Forgive my ignorance, but what is the benefit for an individual to run this? I currently just use 1.1.1.1 by Cloudflare on my two main devices....not realloy sure I understand what the advantage of this is?

Reply


@newfonewhodis 14 days

Replying to @ignoramous 🎙

What happens if I use Tailscale SSH and Google (or whatever IDP) decides to ban my account? Is there a break-glass or something that would let me either change IDPs or re-enable openssh-based access without losing my servers?

Reply


@atonse 14 days

Replying to @ignoramous 🎙

Another question, can this be used to create SSO-enabled SFTP? Isn't SFTP just ftp over SSH?

Reply


@googleide 13 days

Replying to @ignoramous 🎙

Slightly OT, How do you do "re-authenticate before connecting" (https://tailscale.com/kb/1193/tailscale-ssh/) when using Google identity, we are using Google Oauth2 and latest identity SDK but can't see how to force a user to re-authenticate if logged in, do you just make a random unique claim?

Related: https://stackoverflow.com/questions/32433378/google-login-ap...

Reply


@RL_Quine 14 days

Replying to @ignoramous 🎙

I'm not entirely convinced I want a feature that adds even more exposure to the sort of goofy login flow Tailscale has.

Reply


@infogulch 14 days

Replying to @ignoramous 🎙

I'm very interested in Tailscale for both personal and business use-cases, but I'm rather put off by the stark centralization of offered identity providers: Microsoft, Github (Microsoft), Google, okta (?). What are the chances that Tailscale would offer authentication using decentralized/self-hosted identity providers like Ory ( https://www.ory.sh/ )?

Reply


@mfsch 14 days

Replying to @ignoramous 🎙

Looks interesting, but it seems that this doesn’t work well for servers where every user has a personal account. It appears that this use case would require a separate ACL entry for every user, which a) can get slightly annoying to manage and b) requires a business plan. It would be nice if something like `"users": ["autogroup:emailuser"]` was supported to allow `alice@example.com` to connect as the user `alice`, but that would probably cause issues with e.g. Github organizations, where email addresses can have different TLDs.

Reply


@midislack 14 days

Replying to @ignoramous 🎙

What's Tailscale? Some kind of VPN?

Reply


@mountainriver 14 days

Replying to @ignoramous 🎙

Tailscale is my absolute dream networking solution, I would go as far as to say it will ultimately change how we develop applications in the future

Reply


@pilif 13 days

Replying to @ignoramous 🎙

I don't understand Tailscale's pricing structure: On one end, the features they are adding make the most sense if every machine that should be accessible is running tailscale.

Both the fine-grained ACL support and now this SSH thing don't make sense with shared subnets.

However, their pricing ties number of servers to number of users. In our case, we have potentially 3 admins who would administer about 50 machines, plus some ephemeral ones.

Assuming that each admin has two Macs and an iPhone just on their client side, I don't see how this can ever work within the limits in their pricing plans (except if I'd use subnet sharing, but that would cause me to miss out on many additional features that only make sense if Tailscale is running on each machine).

Is there no way to buy additional devices?

And my other gripe is with their API: The fine grained ACL support is perfect to, say, issue temporary access to some machines for some users and the API does allow that.

But why the hell are API keys only valid for 60 days? I don't want to build a solution on top of a piece of infrastructure that requires me to manually log into a site every 60 days.

Reply


@quartzic 14 days

Replying to @ignoramous 🎙

But you still can't have multiple tailnets. The strategy of "have hobbyists try out the software themselves, like it, then implement it at their work" seems incompatible with this fact.

Reply


@aspyct 14 days

Replying to @ignoramous 🎙

I started using tailscale a few days ago, and I absolutely love it.

However, one thing is still nagging me: technically, they can add devices to my network without telling me, right? Or is there something I'm missing?

Reply


@dimitar 14 days

Replying to @ignoramous 🎙

How Tailscale different from other VPN solutions?

Reply


@edf13 14 days

Replying to @ignoramous 🎙

Never login as root… even over secured links!

Reply


@alex_dev 14 days

Replying to @ignoramous 🎙

I've been having trouble adopting Tailscale. As so many others say, relying on another identity provider is unfortunate - I, too, worry what happens when Google decides to lock me out because some algorithm decided my account is fishy.

The biggest blocker has been the issues with the Android client. I'm either hitting https://github.com/tailscale/tailscale/issues/915 or https://github.com/tailscale/tailscale/issues/4611, but neither issue appears to have a fix coming soon. Whenever I am on my carrier's network, my phone's internet stops until I disable Tailscale - that's just a show stopper from using TailScale.

So instead of developing this SSH feature, I would have preferred to seen them work on their bug backlog.

In the meantime, I'm experimenting with ZeroTier. While it doesn't have the ease and cool magicDNS+LetsEncrypt feature, I think I'll survive with something more reliable.

Reply


@ratg13 14 days

Replying to @ignoramous 🎙

Is anyone using tailscale on an organizational level?

I'm curious to hear about some of the use cases, and whether some companies and organizations are attempting to adopt this instead of traditional VPN.

Reply


@Sytten 14 days

Replying to @ignoramous 🎙

This seems like the perfect complement to replace the SSM Agent / bastion instance currently used to access AWS VPC (it is super clunky to use). This should allow an easier time to do reverse tunnelling to databases without having to manage SSH keys.

Reply


@NoraCodes 14 days

Replying to @ignoramous 🎙

I know this opinion comes up every time Tailscale is mentioned, but requiring SSO _and_ only supporting companies like Google and Microsoft on the free tier means a lot of people can't use it without being exposed to a ton of risk in the form of automated moderation/deletion decisions. I want to be excited about this stuff, but it just won't fit into my risk profile until that changes.

Hell, I'd be happy to pay $5/mo or whatever if that meant I could roll my own SSO, or even just use a cheap-per-user, low-volume provider.

Reply


@pphysch 14 days

Replying to @ignoramous 🎙

> (SSH certificates are better, but have you tried running your own enterprise CA?)

For a small business, what is so hard about keeping a file (CA private key) secure and changing it when required?

Reply


@dx034 13 days

Replying to @ignoramous 🎙

I love that feature but I'd be a bit scared to just switch off all other ssh, in case the tailscale service ever crashes. I know, machines can just be set up again, but if the problem reproduces there's no way to debug it.

So what's the recommendation here to stay safe but still have a failover? Keep ssh enabled for only one user (with sudo rights) and a key that's stored at some secure location?

Reply


@danousna 14 days

Replying to @ignoramous 🎙

What would be the advantages of this compared to say Teleport ?

Teleport is working fine for us, but I wonder if the network based approach (+ wireguard) of Tailscale would be better in terms of network redundancy ?

Reply


@riobard 14 days

Replying to @ignoramous 🎙

I'll have to ask this since it's bothering me for quite a while…

If I connect to a server via WireGuard, would it make more sense to run simpler & unencrypted `rsh` instead of `ssh`? It's kinda pointless to double encrypt.

Reply


@SuperSandro2000 13 days

Replying to @ignoramous 🎙

You still need to manage some amount (possibly smaller than right now) of ssh keys because if not then you are totally reliant on tailscale being up all the time or you can't access your infrastructure of they have an outage.

Reply


About Us

site design / logo © 2022 Box Piper