Re: Progress on tailscale on NetBSD (plus $ available)

[ci4ic4 <ci4ic4%proton.me@localhost>]

Sent with Proton Mail secure email.

On Sunday, 26 April 2026 at 2:43 AM, Kevin Bloom <ktnb%netbsd.org@localhost> wrote:

> > Sent with Proton Mail secure email.
> >
> > On Thursday, 23 April 2026 at 2:55 PM, Kevin Bloom <ktnb%netbsd.org@localhost> wrote:
> >
> > > > Sent with Proton Mail secure email.
> > > >
> > > > On Wednesday, 22 April 2026 at 8:55 PM, Kevin Bloom <ktnb%netbsd.org@localhost> w=
> > rote=3D
> > > > :
> > > >
> > > > > > Sent with Proton Mail secure email.
> > > > > >
> > > > > > On Wednesday, 22 April 2026 at 3:16 AM, Kevin Bloom <ktnb%netbsd.or@localhost=
> > g> w=3D
> > > > rote=3D3D
> > > > ...
> > > > > > FWIW,
> > > > > >
> > > > > > Chavdar
> > > > > >
> > > > >=3D20
> > > > > I've committed another update that fixes the unprivileged user issue,=
> >  the
> > > > > pining of loopback issue, and the health check error (not sure if any=
> > one
> > > > > saw that one or not). Please give it a go and let me know how it work=
> > s!
> > > > >=3D20
> > > >
> > > > Wow, that was quick! It seems everything works at first look.=3D20
> > > >
> > > > There is a question mark on ssh, though - it now lets me to ssh to root=
> > @any=3D
> > > > -ov-my-tailnet-hosts from any of the local NetBSD users *without* reque=
> > stin=3D
> > > > g the usual reauthentication. This seems like a security issue...=3D20
> > > >
> > > > Chavdar=3D20
> > > >
> > > >
> > >=20
> > > I believe that's how tailscale works. Basically, tailscale will log
> > > who does what and you can control who has actual access via the
> > > --operator option. I think anyone can run the status and ip commands,
> > > however. (I could be wrong but that's what I'm understanding)
> >
> > It would appear indeed so. I did a few more tests - tailscale down|login|lo=
> > gout|up, stopping and restarting the daemon, destroying the tun0 interface =
> > etc. and it worked as expected. Non-root user can issue 'tailscale statup|p=
> > ing', that's fine. However, non-root user can also say=20
> >
> > $ tailscale ssh root@any-other-tailnet-host=20
> >
> > and it works like a charm... You tell me if this is a security hole... If I=
> >  try do the same from a Windows or Linux system to a host I haven't contact=
> > ed before, it gets me to the tailscale authentication link and I have to co=
> > nfirm it there. =20
> >
> > My tests were all done on amd64 and aarch64 vms running -current circa 25th=
> >  of March, tailscale built using go 1.26.2, FWIW. =20
> > >=20
> >
> >
> > Chavdar=20
> >
> >
> 
> Hmm, interesting. I've never had tailscale prompt me with an auth
> link when trying to connect to a new host on both macOS and Linux.
> Maybe there is a setting on your tailscale instance that isn't set
> on my company's. I'll do some digging and get back to you!
> 

I am not so sure today, to be honest. Yesterday when I mailed I definitely tried it and it behaved this way when ssh-out from the two NetBSD vm's. Today I tried to repeat the same, ssh to a couple of hosts on the tailnet I haven't tried earlier, it behaves as expected:

------------
sh-5.1$ uname -a
Linux instance-20211209-2248 5.15.0-3.60.5.1.el9uek.x86_64 #2 SMP Wed Oct 19 20:27:31 PDT 2022 x86_64 x86_64 x86_64 GNU/Linux
sh-5.1$ tailscale ssh root@pmox
# Tailscale SSH requires an additional check.
# To authenticate, visit: https://login.tailscale.com/a/abcde12345678
^C
sh-5.1$ ssh root@pmox
The authenticity of host 'pmox (100.97.XX.YY)' can't be established.
ED25519 key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'pmox' (ED25519) to the list of known hosts.
# Tailscale SSH requires an additional check.
# To authenticate, visit: https://login.tailscale.com/a/abcde12345678

---

$ uname -a
NetBSD ym1r.lorien.lan 11.99.5 NetBSD 11.99.5 (GENERIC) #0: Thu Mar 26 00:05:14 GMT 2026  root%ym1r.lorien.lan@localhost:/bd/sysbuild/amd64/obj/home/sysbuild/src/sys/arch/amd64/compile/GENERIC amd64
$ tailscale ssh opc@ci4o3
# Tailscale SSH requires an additional check.
# To authenticate, visit: https://login.tailscale.com/a/abcde12345678
^C
$ ssh opc@ci4o3
The authenticity of host 'ci4o3 (100.64.163.74)' can't be established.
ED25519 key fingerprint is: SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:17: 129.151.XX.YY
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ci4o3' (ED25519) to the list of known hosts.
# Tailscale SSH requires an additional check.
# To authenticate, visit: https://login.tailscale.com/a/abcde12345678
^C
$ ssh root@ci4o3 
# Tailscale SSH requires an additional check.
# To authenticate, visit: https://login.tailscale.com/a/abcde12345678   <---- I visit this, authorize and am able to ssh
# Authentication checked with Tailscale SSH.
# Time since last authentication: 1s
Last login: Sat Apr 25 12:29:04 from 100.94.217.112
[root@instance-20211209-2248 ~]#
logout
Connection to ci4o3 closed.
$ ssh root@ci4o3                                   <------------------ second attempt goes without additional authorization - as expected
Last login: Sun Apr 26 11:06:55 from 100.103.185.88
[root@instance-20211209-2248 ~]#
logout
Connection to ci4o3 closed.

------------------------------------

Remains perhaps to change 'userspace-networking' to 'tun' in tailscaled.sh?

Chavdar