search

tailscale / tailscale

The easiest, most secure way to use WireGuard and 2FA.
https://tailscale.com
BSD 3-Clause "New" or "Revised" License
19.26k stars 1.51k forks source link

FR: SSH: Get access to identity of remote/incoming user #9890

Open mattklein123 opened 1 year ago

mattklein123 commented 1 year ago

What are you trying to do?

I'm not sure if there is a way to do this already, but I couldn't find one.

I'm implementing a secure/restricted bastion using tailscale SSH. Effectively, the login shell is a single command. As part of this, it would be optimal if I knew the identity of the authenticated remote user (for auditing, role based control, and so on), and possibly the tailscale groups they are in. I could potentially solve this by provisioning a user account on the machine for every user, and forcing every user to SSH as themselves, but that is somewhat tedious. It would be much better if there was a way I could somehow get the identity of the remote user, so I can use a single login on the remote machine.

How should we solve this?

Honestly I have no idea. This is all voodoo to me. :)

Optimally if there was a way to inject env variables into the created session/env that would be optimal. Any solution would be fine.

What is the impact of not solving this?

Either not doing auditing for now or manual provisioning per above.

Anything else?

No response

maisem commented 1 year ago

a work around could be to parse the SSH_CONNECTION env var and do a LocalClient.WhoIs request. You would just pick the first field in SSH_CONNECTION which is the client IP and use that as the argument to WhoIs

We could probably inject the client identity as an env var too, @bradfitz thoughts?

mattklein123 commented 1 year ago

OK thanks for that workaround. That is probably good enough for right now. If you all are willing, injecting into an env var would be super awesome and make things more cross platform without having to maintain a dedicated Go binary to get the info.

mattklein123 commented 1 year ago

From looking at the code I'm realizing I can probably just curl directly vs. using the Go binary/client, so will give that a shot, even though I realize it's not officially supported.

mattklein123 commented 1 year ago

For anyone else that comes across this: 

curl --unix-socket /run/tailscale/tailscaled.sock -v 'http://local-tailscaled.sock/localapi/v0/whois?addr=100.80.108.133:0'

Or similar works for me. (With all the caveats, not supported, and so on.)