Re: Progress on tailscale on NetBSD (plus $ available)

To: ci4ic4%proton.me@localhost, ktnb%netbsd.org@localhost
Subject: Re: Progress on tailscale on NetBSD (plus $ available)
From: Kevin Bloom <ktnb%netbsd.org@localhost>
Date: Tue, 5 May 2026 14:29:36 +0000 (UTC)

> Sent with Proton Mail secure email.
>
> On Sunday, 26 April 2026 at 2:43 AM, Kevin Bloom <ktnb%netbsd.org@localhost> wrote:
>
> > > Sent with Proton Mail secure email.
> > >
> > > On Thursday, 23 April 2026 at 2:55 PM, Kevin Bloom <ktnb%netbsd.org@localhost> wr=
> ote:
> > >
> > > > > Sent with Proton Mail secure email.
> > > > >
> > > > > On Wednesday, 22 April 2026 at 8:55 PM, Kevin Bloom <ktnb%netbsd.or@localhost=
> g> w=3D
> > > rote=3D3D
> > > > > :
> > > > >
> > > > > > > Sent with Proton Mail secure email.
> > > > > > >
> > > > > > > On Wednesday, 22 April 2026 at 3:16 AM, Kevin Bloom <ktnb@netbs=
> d.or=3D
> > > g> w=3D3D
> > > > > rote=3D3D3D
> > > > > ...
> > > > > > > FWIW,
> > > > > > >
> > > > > > > Chavdar
> > > > > > >
> > > > > >=3D3D20
> > > > > > I've committed another update that fixes the unprivileged user is=
> sue,=3D
> > >  the
> > > > > > pining of loopback issue, and the health check error (not sure if=
>  any=3D
> > > one
> > > > > > saw that one or not). Please give it a go and let me know how it =
> work=3D
> > > s!
> > > > > >=3D3D20
> > > > >
> > > > > Wow, that was quick! It seems everything works at first look.=3D3D2=
> 0
> > > > >
> > > > > There is a question mark on ssh, though - it now lets me to ssh to =
> root=3D
> > > @any=3D3D
> > > > > -ov-my-tailnet-hosts from any of the local NetBSD users *without* r=
> eque=3D
> > > stin=3D3D
> > > > > g the usual reauthentication. This seems like a security issue...=
> =3D3D20
> > > > >
> > > > > Chavdar=3D3D20
> > > > >
> > > > >
> > > >=3D20
> > > > I believe that's how tailscale works. Basically, tailscale will log
> > > > who does what and you can control who has actual access via the
> > > > --operator option. I think anyone can run the status and ip commands,
> > > > however. (I could be wrong but that's what I'm understanding)
> > >
> > > It would appear indeed so. I did a few more tests - tailscale down|logi=
> n|lo=3D
> > > gout|up, stopping and restarting the daemon, destroying the tun0 interf=
> ace =3D
> > > etc. and it worked as expected. Non-root user can issue 'tailscale stat=
> up|p=3D
> > > ing', that's fine. However, non-root user can also say=3D20
> > >
> > > $ tailscale ssh root@any-other-tailnet-host=3D20
> > >
> > > and it works like a charm... You tell me if this is a security hole... =
> If I=3D
> > >  try do the same from a Windows or Linux system to a host I haven't con=
> tact=3D
> > > ed before, it gets me to the tailscale authentication link and I have t=
> o co=3D
> > > nfirm it there. =3D20
> > >
> > > My tests were all done on amd64 and aarch64 vms running -current circa =
> 25th=3D
> > >  of March, tailscale built using go 1.26.2, FWIW. =3D20
> > > >=3D20
> > >
> > >
> > > Chavdar=3D20
> > >
> > >
> >=20
> > Hmm, interesting. I've never had tailscale prompt me with an auth
> > link when trying to connect to a new host on both macOS and Linux.
> > Maybe there is a setting on your tailscale instance that isn't set
> > on my company's. I'll do some digging and get back to you!
> >=20
>
> I am not so sure today, to be honest. Yesterday when I mailed I definitely =
> tried it and it behaved this way when ssh-out from the two NetBSD vm's. Tod=
> ay I tried to repeat the same, ssh to a couple of hosts on the tailnet I ha=
> ven't tried earlier, it behaves as expected:
>
> ------------
> sh-5.1$ uname -a
> Linux instance-20211209-2248 5.15.0-3.60.5.1.el9uek.x86_64 #2 SMP Wed Oct 1=
> 9 20:27:31 PDT 2022 x86_64 x86_64 x86_64 GNU/Linux
> sh-5.1$ tailscale ssh root@pmox
> # Tailscale SSH requires an additional check.
> # To authenticate, visit: https://login.tailscale.com/a/abcde12345678
> ^C
> sh-5.1$ ssh root@pmox
> The authenticity of host 'pmox (100.97.XX.YY)' can't be established.
> ED25519 key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
> This key is not known by any other names
> Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
> Warning: Permanently added 'pmox' (ED25519) to the list of known hosts.
> # Tailscale SSH requires an additional check.
> # To authenticate, visit: https://login.tailscale.com/a/abcde12345678
>
> ---
>
> $ uname -a
> NetBSD ym1r.lorien.lan 11.99.5 NetBSD 11.99.5 (GENERIC) #0: Thu Mar 26 00:0=
> 5:14 GMT 2026  root%ym1r.lorien.lan@localhost:/bd/sysbuild/amd64/obj/home/sysbuild/sr=
> c/sys/arch/amd64/compile/GENERIC amd64
> $ tailscale ssh opc@ci4o3
> # Tailscale SSH requires an additional check.
> # To authenticate, visit: https://login.tailscale.com/a/abcde12345678
> ^C
> $ ssh opc@ci4o3
> The authenticity of host 'ci4o3 (100.64.163.74)' can't be established.
> ED25519 key fingerprint is: SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> This host key is known by the following other names/addresses:
>     ~/.ssh/known_hosts:17: 129.151.XX.YY
> Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
> Warning: Permanently added 'ci4o3' (ED25519) to the list of known hosts.
> # Tailscale SSH requires an additional check.
> # To authenticate, visit: https://login.tailscale.com/a/abcde12345678
> ^C
> $ ssh root@ci4o3=20
> # Tailscale SSH requires an additional check.
> # To authenticate, visit: https://login.tailscale.com/a/abcde12345678   <--=
> -- I visit this, authorize and am able to ssh
> # Authentication checked with Tailscale SSH.
> # Time since last authentication: 1s
> Last login: Sat Apr 25 12:29:04 from 100.94.217.112
> [root@instance-20211209-2248 ~]#
> logout
> Connection to ci4o3 closed.
> $ ssh root@ci4o3                                   <------------------ seco=
> nd attempt goes without additional authorization - as expected
> Last login: Sun Apr 26 11:06:55 from 100.103.185.88
> [root@instance-20211209-2248 ~]#
> logout
> Connection to ci4o3 closed.
>
> ------------------------------------
>
> Remains perhaps to change 'userspace-networking' to 'tun' in tailscaled.sh?
>

have you been using the package lately? Any updates or concerns? I
believe that I will probably remove the -tun option in the daemon
script as it appears most others use tun by default.

> Chavdar=20
>
>
>

References:
- tailscale on NetBSD (more $ available)
  - From: sunqingyao19970825%icloud.com@localhost
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: David Brownlee
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: Kevin Bloom
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: ci4ic4
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: Kevin Bloom
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: ci4ic4
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: Kevin Bloom
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: ci4ic4
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: Kevin Bloom
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: ci4ic4

Prev by Date: Re: Progress on tailscale on NetBSD (plus $ available)
Next by Date: Re: 11.0 i386 repo broken?
Previous by Thread: Re: Progress on tailscale on NetBSD (plus $ available)
Next by Thread: Re: Progress on tailscale on NetBSD (plus $ available)
Indexes:

Home | Main Index | Thread Index | Old Index