[Bug] If an unknown user is added to the policy, SSH policies become empty #1137

New Issue

adam · 2025-12-29T02:28:30+01:00

adam commented

2025-12-29 02:28:30 +01:00

Originally created by @OdyX on GitHub (Nov 5, 2025).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

With a simple OIDC setup, I'm trying to preemptively add users to a group (before they exist from the headscale point of view).

This is a working policy file:

{
  "groups": {
   "group:example-infra": [
      "odyx@example.com",
    ],
  },
  "tagOwners": {
    "tag:vps": [
      "odyx@example.com"
    ],
  },
  "acls": [
    // Allow infra to hit all ports on all tailnet machines (autogroup:tagged)
    {
      "action": "accept",
      "src": [
        "group:example-infra",
      ],
      "dst": [
        "autogroup:tagged:*"
      ]
    },
  ],
  "ssh": [
    // Allow infra to ssh to tag:example-infra server as debian
    {
      "action": "accept",
      "src": [
        "group:poto-infra"
      ],
      "dst": [
        "tag:example-infra",
      ],
      "users": [
        "debian",
      ],
    },
  ],
}

With this, I get something along these lines on …/debug/ssh (where id:15 is not tagged, id:16 is)

{
  "id:15 hostname:exo-ts-004 givenname:exo-ts-004": {
    "rules": null
  },
  "id:16 hostname:ik-ts-004 givenname:ik-ts-004": {
    "rules": [
      {
        "principals": [
          {
            "nodeIP": "100.95.204.138"
          },
          {
            "nodeIP": "100.96.46.136"
          },
          {
            "nodeIP": "fd7a:115c:a1e0:706f:3577:8580:42e5:d751"
          },
          {
            "nodeIP": "fd7a:115c:a1e0:706f:ec80:d63:1688:af87"
          }
        ],
        "sshUsers": {
          "debian": "debian"
        },
        "action": {
          "accept": true,
          "allowAgentForwarding": true,
          "allowLocalPortForwarding": true,
          "allowRemotePortForwarding": true
        }
      }
    ]
  }
}

If I push this patch on the policy (with "otheruser@example.com" existing on the IdP, but who has not logged yet)

diff --git i/policy.hujson w/policy.hujson
index ccd3a64..8505c75 100644
--- i/policy.hujson
+++ w/policy.hujson
@@ -2,6 +2,7 @@
   "groups": {
    "group:example-infra": [
       "odyx@example.com",
+      "otheruser@example.com",
     ],
   },
   "tagOwners": {

… then the SSH rules become:

{
  "id:15 hostname:exo-ts-004 givenname:exo-ts-004": {
    "rules": null
  },
  "id:16 hostname:ik-ts-004 givenname:ik-ts-004": {
    "rules": null
  }
}

… de-facto breaking each and every SSH login.

Expected Behavior

I'd expect unrecognized/unknown users to be just ignored in the policy processing (ideally with a warning in the logs), not silently break the whole SSH policy.

Steps To Reproduce

start from a working state with a valid SSH policy and existing users
add an unknown user to a group in a src SSH policy

Environment

- OS: Debian 'trixie' 13.1
- Headscale version: 0.27.0
- Tailscale version: 1.90.6

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Debug information

(None apply)

Originally created by @OdyX on GitHub (Nov 5, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior With a simple OIDC setup, I'm trying to preemptively add users to a group (before they exist from the headscale point of view). This is a working policy file: ```jsonc { "groups": { "group:example-infra": [ "odyx@example.com", ], }, "tagOwners": { "tag:vps": [ "odyx@example.com" ], }, "acls": [ // Allow infra to hit all ports on all tailnet machines (autogroup:tagged) { "action": "accept", "src": [ "group:example-infra", ], "dst": [ "autogroup:tagged:*" ] }, ], "ssh": [ // Allow infra to ssh to tag:example-infra server as debian { "action": "accept", "src": [ "group:poto-infra" ], "dst": [ "tag:example-infra", ], "users": [ "debian", ], }, ], } ``` With this, I get something along these lines on `…/debug/ssh` (where id:15 is not tagged, id:16 is) ```json { "id:15 hostname:exo-ts-004 givenname:exo-ts-004": { "rules": null }, "id:16 hostname:ik-ts-004 givenname:ik-ts-004": { "rules": [ { "principals": [ { "nodeIP": "100.95.204.138" }, { "nodeIP": "100.96.46.136" }, { "nodeIP": "fd7a:115c:a1e0:706f:3577:8580:42e5:d751" }, { "nodeIP": "fd7a:115c:a1e0:706f:ec80:d63:1688:af87" } ], "sshUsers": { "debian": "debian" }, "action": { "accept": true, "allowAgentForwarding": true, "allowLocalPortForwarding": true, "allowRemotePortForwarding": true } } ] } } ``` If I push this patch on the policy (with "otheruser@example.com" existing on the IdP, but who has not logged yet) ```patch diff --git i/policy.hujson w/policy.hujson index ccd3a64..8505c75 100644 --- i/policy.hujson +++ w/policy.hujson @@ -2,6 +2,7 @@ "groups": { "group:example-infra": [ "odyx@example.com", + "otheruser@example.com", ], }, "tagOwners": { ``` … then the SSH rules become: ```json { "id:15 hostname:exo-ts-004 givenname:exo-ts-004": { "rules": null }, "id:16 hostname:ik-ts-004 givenname:ik-ts-004": { "rules": null } } ``` … de-facto breaking each and every SSH login. ### Expected Behavior I'd expect unrecognized/unknown users to be just ignored in the policy processing (ideally with a warning in the logs), not silently break the whole SSH policy. ### Steps To Reproduce 1. start from a working state with a valid SSH policy and existing users 2. add an unknown user to a group in a `src` SSH policy ### Environment ```markdown - OS: Debian 'trixie' 13.1 - Headscale version: 0.27.0 - Tailscale version: 1.90.6 ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Debug information (None apply)

adam added the bug well described ❤️regression labels 2025-12-29 02:28:30 +01:00

adam closed this issue

2025-12-29 02:28:30 +01:00

adam commented

2025-12-29 02:28:30 +01:00

@nblock commented on GitHub (Nov 5, 2025):

Reproduced on 0.27.0, but not on 0.26.1.

@nblock commented on GitHub (Nov 5, 2025): Reproduced on 0.27.0, but not on 0.26.1.

adam referenced this issue

2025-12-29 03:18:49 +01:00

[PR #1137] [CLOSED] docs(README): update contributors #1909

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1137