[Bug] SSH autogroup:nonroot does not permit non-root usernames #1044

New Issue

Closed

opened 2025-12-29 02:27:53 +01:00 by adam · 5 comments

adam commented 2025-12-29 02:27:53 +01:00

Owner

Copy Link

Originally created by @mitchplze on GitHub (Jun 9, 2025).

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

With the following block:

"ssh": [
    {
      "action": "accept",
      "src": ["tag:admin", "group:admin"],
      "dst": ["*"],
      "users": ["autogroup:nonroot", "root"]
    }
  ]

Despite --ssh being set and the user existing on the target system, admins are unable to SSH with the username test to the destination.

The error returned is:

mitch@Mitchs-MacBook ~ % ssh test@100.123.123.123
tailscale: failed to evaluate SSH policyConnection closed by 100.123.123.123 port 22

When I explicitly add "test" to users:, it works as expected.

"ssh": [
    {
      "action": "accept",
      "src": ["tag:admin", "group:admin"],
      "dst": ["*"],
      "users": ["autogroup:nonroot", "root", "test"]
    }
  ]

Expected Behavior

As per Tailscale docs, the autogroup:nonroot group in an SSH ACL policy, should permit any username that is not root to login to the machine. This does not currently appear to be the case with Headscale 0.26.1.

Steps To Reproduce

As per above, create an SSH block permitting autogroup:nonroot and users will not be able to login.

Environment

- OS: Debian 12 via Docker
- Headscale version: 0.26.1
- Tailscale version: 1.81.1

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Debug information

N/A

Originally created by @mitchplze on GitHub (Jun 9, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior With the following block: ```yaml "ssh": [ { "action": "accept", "src": ["tag:admin", "group:admin"], "dst": ["*"], "users": ["autogroup:nonroot", "root"] } ] ``` Despite `--ssh` being set and the user existing on the target system, admins are unable to SSH with the username `test` to the destination. The error returned is: ``` mitch@Mitchs-MacBook ~ % ssh test@100.123.123.123 tailscale: failed to evaluate SSH policyConnection closed by 100.123.123.123 port 22 ``` When I explicitly add `"test"` to `users:`, it works as expected. ```yaml "ssh": [ { "action": "accept", "src": ["tag:admin", "group:admin"], "dst": ["*"], "users": ["autogroup:nonroot", "root", "test"] } ] ``` ### Expected Behavior As per [Tailscale docs](https://tailscale.com/kb/1337/policy-syntax#users), the `autogroup:nonroot` group in an SSH ACL policy, should permit any username that is not `root` to login to the machine. This does not currently appear to be the case with Headscale `0.26.1`. ### Steps To Reproduce As per above, create an SSH block permitting `autogroup:nonroot` and users will not be able to login. ### Environment ```markdown - OS: Debian 12 via Docker - Headscale version: 0.26.1 - Tailscale version: 1.81.1 ``` ### Runtime environment - [x] Headscale is behind a (reverse) proxy - [x] Headscale runs in a container ### Debug information N/A

adam added the bugtailscale-feature-gappolicy 📝SSH labels 2025-12-29 02:27:53 +01:00

adam closed this issue 2025-12-29 02:27:54 +01:00

adam commented 2025-12-29 02:27:54 +01:00

Author

Owner

Copy Link

@turnah commented on GitHub (Jun 10, 2025):

I don't think this is just affecting nonroot group, but same when explicitly defining usernames, ie "michael@". I also can't get my ssh group to connect after updating. Same message and my config hasn't changed (apart from @). Thought I was going mad or to do with changing my usernames so they contain an @

@turnah commented on GitHub (Jun 10, 2025): I don't think this is just affecting nonroot group, but same when explicitly defining usernames, ie "michael@". I also can't get my ssh group to connect after updating. Same message and my config hasn't changed (apart from @). Thought I was going mad or to do with changing my usernames so they contain an @

adam commented 2025-12-29 02:27:54 +01:00

Author

Owner

Copy Link

@mitchplze commented on GitHub (Jun 10, 2025):

There’s another bug If you didn’t know as well. Try restarting Headscale whenever you change ACLs or tags, or they won’t refresh.

@mitchplze commented on GitHub (Jun 10, 2025): There’s another bug If you didn’t know as well. Try restarting Headscale whenever you change ACLs or tags, or they won’t refresh.

adam commented 2025-12-29 02:27:54 +01:00

Author

Owner

Copy Link

@nblock commented on GitHub (Jun 10, 2025):

I don't think this is just affecting nonroot group, but same when explicitly defining usernames, ie "michael@".

The @ in the username is only required for Headscale users. The users list in the ssh section is just a list of unix usernames on the system you want to connect to with SSH.

@nblock commented on GitHub (Jun 10, 2025): > I don't think this is just affecting nonroot group, but same when explicitly defining usernames, ie "michael@". The `@` in the username is only required for Headscale users. The `users` list in the `ssh` section is just a list of unix usernames on the system you want to connect to with SSH.

adam commented 2025-12-29 02:27:54 +01:00

Author

Owner

Copy Link

@turnah commented on GitHub (Jun 10, 2025):

I don't think this is just affecting nonroot group, but same when explicitly defining usernames, ie "michael@".

The @ in the username is only required for Headscale users. The users list in the ssh section is just a list of unix usernames on the system you want to connect to with SSH.

Well this solves my problem! Thank you, sorry for cross posting on this issue

@turnah commented on GitHub (Jun 10, 2025): > > I don't think this is just affecting nonroot group, but same when explicitly defining usernames, ie "michael@". > > The `@` in the username is only required for Headscale users. The `users` list in the `ssh` section is just a list of unix usernames on the system you want to connect to with SSH. Well this solves my problem! Thank you, sorry for cross posting on this issue

adam commented 2025-12-29 02:27:54 +01:00

Author

Owner

Copy Link

@nblock commented on GitHub (Jul 19, 2025):

I can confirm this on 0.26.1 and 0.25.1. It likely exists in many older versions as well.

The reason seems to be a difference in the netmap's sshUsers section found within SSHPolicy.rules[*].sshUsers. This
can be observed by configuring a similar policy in Tailscale SaaS and Headscale and inspecting the netmap via e.g.
tailscale debug netmap | jq .SSHPolicy.rules[0].

A few SSH policy examples with different allowed users follow. Note the differences in the sshUsers section.

Allow tailscale ssh as any local user except root

"ssh": [
  {
    ...
    "users": ["autogroup:nonroot"]
  }
]

SSHPolicy from Tailscale SaaS

{
  "ruleExpires": "2025-07-20T06:05:17Z",
  "principals": [{...}],
  "sshUsers": {
    "*": "=",
    "root": ""
  },
  "action": {
    "accept": true,
    "allowAgentForwarding": true,
    "allowLocalPortForwarding": true,
    "allowRemotePortForwarding": true
  }
}

SSHPolicy Headscale 0.26.1 (policy v2)

{
  "principals": [{...}],
  "sshUsers": {
    "autogroup:nonroot": "="
  },
  "action": {
    "accept": true,
    "allowAgentForwarding": true,
    "allowLocalPortForwarding": true
  }
}

Allow tailscale ssh as any user

"ssh": [
  {
    ...
    "users": ["autogroup:nonroot", "root"]
  }
]

SSHPolicy from Tailscale SaaS

{
  "ruleExpires": "2025-07-20T06:05:17Z",
  "principals": [{...}],
  "sshUsers": {
    "*": "=",
    "root": "root"
  },
  "action": {
    "accept": true,
    "allowAgentForwarding": true,
    "allowLocalPortForwarding": true,
    "allowRemotePortForwarding": true
  }
}

SSHPolicy Headscale 0.26.1 (policy v2)

{
  "principals": [{...}],
  "sshUsers": {
    "autogroup:nonroot": "=",
    "root": "="
  },
  "action": {
    "accept": true,
    "allowAgentForwarding": true,
    "allowLocalPortForwarding": true
  }
}

Allow tailscale ssh as ubuntu or root

"ssh": [
  {
    ...
    "users":  ["ubuntu", "root"],
  }
]

SSHPolicy from Tailscale SaaS

{
  "ruleExpires": "2025-07-20T06:05:17Z",
  "principals": [{...}],
  "sshUsers": {
    "root": "root",
    "ubuntu": "ubuntu"
  },
  "action": {
    "accept": true,
    "allowAgentForwarding": true,
    "allowLocalPortForwarding": true,
    "allowRemotePortForwarding": true
  }
}

SSHPolicy Headscale 0.26.1 (policy v2)

{
  "principals": [{...}],
  "sshUsers": {
    "root": "=",
    "ubuntu": "="
  },
  "action": {
    "accept": true,
    "allowAgentForwarding": true,
    "allowLocalPortForwarding": true
  }
}

Summary

• Headscale configures the username to be autogroup:nonroot while Tailscale SaaS uses a wildcard to match any username (except root)
• The values also differ: = vs the literal username
• Also note that Tailscale SaaS additionally configures allowRemotePortForwarding.

@nblock commented on GitHub (Jul 19, 2025): I can confirm this on 0.26.1 and 0.25.1. It likely exists in many older versions as well. The reason seems to be a difference in the netmap's `sshUsers` section found within `SSHPolicy.rules[*].sshUsers`. This can be observed by configuring a similar policy in Tailscale SaaS and Headscale and inspecting the netmap via e.g. `tailscale debug netmap | jq .SSHPolicy.rules[0]`. A few SSH policy examples with different allowed users follow. Note the differences in the `sshUsers` section. ### Allow tailscale ssh as any local user except `root` ```json5 "ssh": [ { ... "users": ["autogroup:nonroot"] } ] ``` <details> <summary>SSHPolicy from Tailscale SaaS</summary> ```json5 { "ruleExpires": "2025-07-20T06:05:17Z", "principals": [{...}], "sshUsers": { "*": "=", "root": "" }, "action": { "accept": true, "allowAgentForwarding": true, "allowLocalPortForwarding": true, "allowRemotePortForwarding": true } } ``` </details> <details> <summary>SSHPolicy Headscale 0.26.1 (policy v2)</summary> ```json5 { "principals": [{...}], "sshUsers": { "autogroup:nonroot": "=" }, "action": { "accept": true, "allowAgentForwarding": true, "allowLocalPortForwarding": true } } ``` </details> ### Allow tailscale ssh as any user ```json5 "ssh": [ { ... "users": ["autogroup:nonroot", "root"] } ] ``` <details> <summary>SSHPolicy from Tailscale SaaS</summary> ```json5 { "ruleExpires": "2025-07-20T06:05:17Z", "principals": [{...}], "sshUsers": { "*": "=", "root": "root" }, "action": { "accept": true, "allowAgentForwarding": true, "allowLocalPortForwarding": true, "allowRemotePortForwarding": true } } ``` </details> <details> <summary>SSHPolicy Headscale 0.26.1 (policy v2)</summary> ```json5 { "principals": [{...}], "sshUsers": { "autogroup:nonroot": "=", "root": "=" }, "action": { "accept": true, "allowAgentForwarding": true, "allowLocalPortForwarding": true } } ``` </details> ### Allow tailscale ssh as `ubuntu` or `root` ```json5 "ssh": [ { ... "users": ["ubuntu", "root"], } ] ``` <details> <summary>SSHPolicy from Tailscale SaaS</summary> ```json5 { "ruleExpires": "2025-07-20T06:05:17Z", "principals": [{...}], "sshUsers": { "root": "root", "ubuntu": "ubuntu" }, "action": { "accept": true, "allowAgentForwarding": true, "allowLocalPortForwarding": true, "allowRemotePortForwarding": true } } ``` </details> <details> <summary>SSHPolicy Headscale 0.26.1 (policy v2)</summary> ```json5 { "principals": [{...}], "sshUsers": { "root": "=", "ubuntu": "=" }, "action": { "accept": true, "allowAgentForwarding": true, "allowLocalPortForwarding": true } } ``` </details> ### Summary * Headscale configures the username to be `autogroup:nonroot` while Tailscale SaaS uses a wildcard to match any username (except `root`) * The values also differ: `=` vs the literal username * Also note that Tailscale SaaS additionally configures `allowRemotePortForwarding`.

adam referenced this issue 2025-12-29 02:31:54 +01:00

[PR #1044] [CLOSED] docs(README): update contributors #1837

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

v0.28.0-beta.1

v0.27.2-rc.1

v0.27.1

v0.27.0

v0.27.0-beta.2

v0.27.0-beta.1

v0.26.1

v0.26.0

v0.26.0-beta.2

v0.26.0-beta.1

v0.25.1

v0.25.0

v0.25.0-beta.2

v0.24.3

v0.25.0-beta.1

v0.24.2

v0.24.1

v0.24.0

v0.24.0-beta.2

v0.24.0-beta.1

v0.23.0

v0.23.0-rc.1

v0.23.0-beta.5

v0.23.0-beta.4

v0.23.0-beta3

v0.23.0-beta2

v0.23.0-beta1

v0.23.0-alpha12

v0.23.0-alpha11

v0.23.0-alpha10

v0.23.0-alpha9

v0.23.0-alpha8

v0.23.0-alpha7

v0.23.0-alpha6

v0.23.0-alpha5

v0.23.0-alpha4

v0.23.0-alpha4-docker-ko-test9

v0.23.0-alpha4-docker-ko-test8

v0.23.0-alpha4-docker-ko-test7

v0.23.0-alpha4-docker-ko-test6

v0.23.0-alpha4-docker-ko-test5

v0.23.0-alpha-docker-release-test-debug2

v0.23.0-alpha-docker-release-test-debug

v0.23.0-alpha4-docker-ko-test4

v0.23.0-alpha4-docker-ko-test3

v0.23.0-alpha4-docker-ko-test2

v0.23.0-alpha4-docker-ko-test

v0.23.0-alpha3

v0.23.0-alpha2

v0.23.0-alpha1

v0.22.3

v0.22.2

v0.23.0-alpha-docker-release-test

v0.22.1

v0.22.0

v0.22.0-alpha3

v0.22.0-alpha2

v0.22.0-alpha1

v0.22.0-nfpmtest

v0.21.0

v0.20.0

v0.19.0

v0.19.0-beta2

v0.19.0-beta1

v0.18.0

v0.18.0-beta4

v0.18.0-beta3

v0.18.0-beta2

v0.18.0-beta1

v0.17.1

v0.17.0

v0.17.0-beta5

v0.17.0-beta4

v0.17.0-beta3

v0.17.0-beta2

v0.17.0-beta1

v0.17.0-alpha4

v0.17.0-alpha3

v0.17.0-alpha2

v0.17.0-alpha1

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.16.0-beta7

v0.16.0-beta6

v0.16.0-beta5

v0.16.0-beta4

v0.16.0-beta3

v0.16.0-beta2

v0.16.0-beta1

v0.15.0

v0.15.0-beta6

v0.15.0-beta5

v0.15.0-beta4

v0.15.0-beta3

v0.15.0-beta2

v0.15.0-beta1

v0.14.0

v0.14.0-beta2

v0.14.0-beta1

v0.13.0

v0.13.0-beta3

v0.13.0-beta2

v0.13.0-beta1

upstream/v0.12.4

v0.12.4

v0.12.3

v0.12.2

v0.12.2-beta1

v0.12.1

v0.12.0-beta2

v0.12.0-beta1

v0.11.0

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

CLI

DERP

DNS

Nix

OIDC

SSH

bug

database

documentation

duplicate

enhancement

faq

good first issue

grants

help wanted

might-come

needs design doc

needs investigation

no-stale-bot

out of scope

performance

policy 📝

pull-request

Mirrored from GitHub Pull Request

question

regression

routes

stale

tags

tailscale-feature-gap

well described ❤️

wontfix

No Label SSH bug policy 📝 tailscale-feature-gap

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1044