Re: Progress on tailscale on NetBSD (plus $ available)

To: Kevin Bloom <ktnb%netbsd.org@localhost>
Subject: Re: Progress on tailscale on NetBSD (plus $ available)
From: ci4ic4 <ci4ic4%proton.me@localhost>
Date: Sat, 25 Apr 2026 12:28:25 +0000

Sent with Proton Mail secure email.

On Thursday, 23 April 2026 at 2:55 PM, Kevin Bloom <ktnb%netbsd.org@localhost> wrote:

> > Sent with Proton Mail secure email.
> >
> > On Wednesday, 22 April 2026 at 8:55 PM, Kevin Bloom <ktnb%netbsd.org@localhost> wrote=
> > :
> >
> > > > Sent with Proton Mail secure email.
> > > >
> > > > On Wednesday, 22 April 2026 at 3:16 AM, Kevin Bloom <ktnb%netbsd.org@localhost> w=
> > rote=3D
> > ...
> > > > FWIW,
> > > >
> > > > Chavdar
> > > >
> > >=20
> > > I've committed another update that fixes the unprivileged user issue, the
> > > pining of loopback issue, and the health check error (not sure if anyone
> > > saw that one or not). Please give it a go and let me know how it works!
> > >=20
> >
> > Wow, that was quick! It seems everything works at first look.=20
> >
> > There is a question mark on ssh, though - it now lets me to ssh to root@any=
> > -ov-my-tailnet-hosts from any of the local NetBSD users *without* requestin=
> > g the usual reauthentication. This seems like a security issue...=20
> >
> > Chavdar=20
> >
> >
> 
> I believe that's how tailscale works. Basically, tailscale will log
> who does what and you can control who has actual access via the
> --operator option. I think anyone can run the status and ip commands,
> however. (I could be wrong but that's what I'm understanding)

It would appear indeed so. I did a few more tests - tailscale down|login|logout|up, stopping and restarting the daemon, destroying the tun0 interface etc. and it worked as expected. Non-root user can issue 'tailscale statup|ping', that's fine. However, non-root user can also say 

$ tailscale ssh root@any-other-tailnet-host 

and it works like a charm... You tell me if this is a security hole... If I try do the same from a Windows or Linux system to a host I haven't contacted before, it gets me to the tailscale authentication link and I have to confirm it there.  

My tests were all done on amd64 and aarch64 vms running -current circa 25th of March, tailscale built using go 1.26.2, FWIW.  
> 

Chavdar

References:
- tailscale on NetBSD (more $ available)
  - From: sunqingyao19970825%icloud.com@localhost
- Progress on tailscale on NetBSD (plus $ available)
  - From: David Brownlee
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: David Brownlee
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: David Brownlee
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: Kevin Bloom
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: ci4ic4
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: Kevin Bloom
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: ci4ic4
- Re: Progress on tailscale on NetBSD (plus $ available)
  - From: Kevin Bloom

Prev by Date: Announcing release 1.22 of vms-empire
Previous by Thread: Re: Progress on tailscale on NetBSD (plus $ available)
Next by Thread: Re: Progress on tailscale on NetBSD (plus $ available)
Indexes:

Home | Main Index | Thread Index | Old Index