starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-04-23 00:58:43 +02:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

policy, noise: implement SSH check action

Browse Source 
Implement the SSH "check" action which requires additional
verification before allowing SSH access. The policy compiler generates
a HoldAndDelegate URL that the Tailscale client calls back to
headscale. The SSHActionHandler creates an auth session and waits for
approval via the generalised auth flow.

Sort check (HoldAndDelegate) rules before accept rules to match
Tailscale's first-match-wins evaluation order.

Updates #1850
This commit is contained in:
Kristoffer Dalby
2026-02-24 18:50:18 +00:00
parent 4a7e1475c0
commit 107c2f2f70
10 changed files with 500 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hscontrol/state/state.go
View File

@@ -871,7 +871,7 @@ func (s *State) ExpireExpiredNodes(lastCheck time.Time) (time.Time, []change.Cha
// SSHPolicy returns the SSH access policy for a node.
func (s *State) SSHPolicy(node types.NodeView) (*tailcfg.SSHPolicy, error) {
return s.polMan.SSHPolicy(node)
return s.polMan.SSHPolicy(s.cfg.ServerURL, node)
}
// Filter returns the current network filter rules and matches.