Re: Progress on tailscale on NetBSD (plus $ available)

To: ci4ic4%proton.me@localhost, ktnb%netbsd.org@localhost
Subject: Re: Progress on tailscale on NetBSD (plus $ available)
From: Kevin Bloom <ktnb%netbsd.org@localhost>
Date: Sun, 26 Apr 2026 01:43:22 +0000 (UTC)

> Sent with Proton Mail secure email.
>
> On Thursday, 23 April 2026 at 2:55 PM, Kevin Bloom <ktnb%netbsd.org@localhost> wrote:
>
> > > Sent with Proton Mail secure email.
> > >
> > > On Wednesday, 22 April 2026 at 8:55 PM, Kevin Bloom <ktnb%netbsd.org@localhost> w=
> rote=3D
> > > :
> > >
> > > > > Sent with Proton Mail secure email.
> > > > >
> > > > > On Wednesday, 22 April 2026 at 3:16 AM, Kevin Bloom <ktnb%netbsd.or@localhost=
> g> w=3D
> > > rote=3D3D
> > > ...
> > > > > FWIW,
> > > > >
> > > > > Chavdar
> > > > >
> > > >=3D20
> > > > I've committed another update that fixes the unprivileged user issue,=
>  the
> > > > pining of loopback issue, and the health check error (not sure if any=
> one
> > > > saw that one or not). Please give it a go and let me know how it work=
> s!
> > > >=3D20
> > >
> > > Wow, that was quick! It seems everything works at first look.=3D20
> > >
> > > There is a question mark on ssh, though - it now lets me to ssh to root=
> @any=3D
> > > -ov-my-tailnet-hosts from any of the local NetBSD users *without* reque=
> stin=3D
> > > g the usual reauthentication. This seems like a security issue...=3D20
> > >
> > > Chavdar=3D20
> > >
> > >
> >=20
> > I believe that's how tailscale works. Basically, tailscale will log
> > who does what and you can control who has actual access via the
> > --operator option. I think anyone can run the status and ip commands,
> > however. (I could be wrong but that's what I'm understanding)
>
> It would appear indeed so. I did a few more tests - tailscale down|login|lo=
> gout|up, stopping and restarting the daemon, destroying the tun0 interface =
> etc. and it worked as expected. Non-root user can issue 'tailscale statup|p=
> ing', that's fine. However, non-root user can also say=20
>
> $ tailscale ssh root@any-other-tailnet-host=20
>
> and it works like a charm... You tell me if this is a security hole... If I=
>  try do the same from a Windows or Linux system to a host I haven't contact=
> ed before, it gets me to the tailscale authentication link and I have to co=
> nfirm it there. =20
>
> My tests were all done on amd64 and aarch64 vms running -current circa 25th=
>  of March, tailscale built using go 1.26.2, FWIW. =20
> >=20
>
>
> Chavdar=20
>
>

Hmm, interesting. I've never had tailscale prompt me with an auth
link when trying to connect to a new host on both macOS and Linux.
Maybe there is a setting on your tailscale instance that isn't set
on my company's. I'll do some digging and get back to you!

References:
- tailscale on NetBSD (more $ available)
  - From: sunqingyao19970825%icloud.com@localhost
- Progress on tailscale on NetBSD (plus $ available)
  - From: David Brownlee
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: David Brownlee
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: David Brownlee
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: Kevin Bloom
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: ci4ic4
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: Kevin Bloom
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: ci4ic4
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: Kevin Bloom
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: ci4ic4

Prev by Date: Re: sysutils/ntfsprogs can't be compiled on current
Next by Date: Re: sysutils/ntfsprogs can't be compiled on current
Previous by Thread: Re: Progress on tailscale on NetBSD (plus $ available)
Next by Thread: Re: Progress on tailscale on NetBSD (plus $ available)
Indexes:

Home | Main Index | Thread Index | Old Index