[PR #847] [MERGED] Add SSH ACL support #1682

New Issue

adam · 2025-12-29T02:31:12+01:00

adam commented

2025-12-29 02:31:12 +01:00

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/847
Author: @evenh
Created: 10/6/2022
Status: ✅ Merged
Merged: 11/26/2022
Merged by: @kradalby

Base: main ← Head: ssh-support

📝 Commits (10+)

cd6df09 Add SSH capability advertisement
93d0302 SSH integration test setup
44e37e2 Ensure we have ssh in container
d4a51b0 Add method to expose container id
5e0ba8c Make simple initial test case
37bc8f3 SSH: Lint and typos
794e57f SSH: add test between namespaces
f72de09 Add negative tests
1ecb3e4 Strip newline from hostname
10feae2 Do not retry on permission denied in ssh

📊 Changes

17 files changed (+792 additions, -23 deletions)

View changed files

📝 CHANGELOG.md (+8 -0)
📝 Dockerfile.tailscale (+4 -2)
📝 Dockerfile.tailscale-HEAD (+3 -2)
📝 acls.go (+123 -0)
📝 acls_test.go (+76 -0)
📝 acls_types.go (+10 -0)
📝 api_common.go (+1 -0)
📝 app.go (+1 -0)
📝 integration/cli_test.go (+5 -4)
📝 integration/general_test.go (+5 -4)
📝 integration/hsic/hsic.go (+1 -5)
📝 integration/scenario.go (+13 -4)
📝 integration/scenario_test.go (+1 -1)
➕ integration/ssh_test.go (+519 -0)
📝 integration/tailscale.go (+2 -0)
📝 integration/tsic/tsic.go (+15 -0)
📝 machine.go (+5 -1)

📄 Description

Based on the fork of @db48x from #661. Doesn’t support the ‘autogroup’ ACL functionality.

This ACL works for us (formatted slightly for readability)

{
  "acls":[{
      "action":"accept",
      "src":["group:employees"],
      "dst":["tag:proxy:*"]
    }
  ],
  "hosts":{},
  "groups":{
    "group:employees":[
      "john.doe",
      "jane.doe"
    ],
    "group:proxy":[
      "mycorp"
    ]
  },
  "tagOwners":{
    "tag:proxy":[
      "group:proxy"
    ]
  },
  "ssh":[
    {
      "action":"check",
      "src":["group:employees"],
      "dst":["tag:proxy"],
      "users":["some-allowlisted-user"],
      "checkPeriod":"8h"
    }
  ],
  "disableIPv4":false,
  "randomizeClientPort":false
}

read the CONTRIBUTING guidelines
raised a GitHub issue or discussed it on the projects chat beforehand
added unit tests
added integration tests
updated documentation if needed
updated CHANGELOG.md

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/847 **Author:** [@evenh](https://github.com/evenh) **Created:** 10/6/2022 **Status:** ✅ Merged **Merged:** 11/26/2022 **Merged by:** [@kradalby](https://github.com/kradalby) **Base:** `main` ← **Head:** `ssh-support` --- ### 📝 Commits (10+) - [`cd6df09`](https://github.com/juanfont/headscale/commit/cd6df097adf9c9a86482a5a88351818d5eb3865d) Add SSH capability advertisement - [`93d0302`](https://github.com/juanfont/headscale/commit/93d03029e4cee8e0e9dd62fcdba0b66c88522ea4) SSH integration test setup - [`44e37e2`](https://github.com/juanfont/headscale/commit/44e37e21c28cf89fa2ba3f57fd208457633e1060) Ensure we have ssh in container - [`d4a51b0`](https://github.com/juanfont/headscale/commit/d4a51b0d2ada126c97373dbed912d2d4e0974bc9) Add method to expose container id - [`5e0ba8c`](https://github.com/juanfont/headscale/commit/5e0ba8c70fa568a0a5756b78946cacf3c5962b77) Make simple initial test case - [`37bc8f3`](https://github.com/juanfont/headscale/commit/37bc8f364f0076db0e875099ab6e287b2dc61f75) SSH: Lint and typos - [`794e57f`](https://github.com/juanfont/headscale/commit/794e57f1c215b5621a2515402c27791b06153c60) SSH: add test between namespaces - [`f72de09`](https://github.com/juanfont/headscale/commit/f72de09cd98f64000674298878b99879614f2611) Add negative tests - [`1ecb3e4`](https://github.com/juanfont/headscale/commit/1ecb3e4c2afac8223f3fe1012d9bfed88671083a) Strip newline from hostname - [`10feae2`](https://github.com/juanfont/headscale/commit/10feae2d4b635ea97e5d98177f93328457fc2de3) Do not retry on permission denied in ssh ### 📊 Changes **17 files changed** (+792 additions, -23 deletions) <details> <summary>View changed files</summary> 📝 `CHANGELOG.md` (+8 -0) 📝 `Dockerfile.tailscale` (+4 -2) 📝 `Dockerfile.tailscale-HEAD` (+3 -2) 📝 `acls.go` (+123 -0) 📝 `acls_test.go` (+76 -0) 📝 `acls_types.go` (+10 -0) 📝 `api_common.go` (+1 -0) 📝 `app.go` (+1 -0) 📝 `integration/cli_test.go` (+5 -4) 📝 `integration/general_test.go` (+5 -4) 📝 `integration/hsic/hsic.go` (+1 -5) 📝 `integration/scenario.go` (+13 -4) 📝 `integration/scenario_test.go` (+1 -1) ➕ `integration/ssh_test.go` (+519 -0) 📝 `integration/tailscale.go` (+2 -0) 📝 `integration/tsic/tsic.go` (+15 -0) 📝 `machine.go` (+5 -1) </details> ### 📄 Description Based on the fork of @db48x from #661. Doesn’t support the ‘autogroup’ ACL functionality. This ACL works for us (formatted slightly for readability) ```json { "acls":[{ "action":"accept", "src":["group:employees"], "dst":["tag:proxy:*"] } ], "hosts":{}, "groups":{ "group:employees":[ "john.doe", "jane.doe" ], "group:proxy":[ "mycorp" ] }, "tagOwners":{ "tag:proxy":[ "group:proxy" ] }, "ssh":[ { "action":"check", "src":["group:employees"], "dst":["tag:proxy"], "users":["some-allowlisted-user"], "checkPeriod":"8h" } ], "disableIPv4":false, "randomizeClientPort":false } ```  - [x] read the [CONTRIBUTING guidelines](README.md#contributing) - [x] raised a GitHub issue or discussed it on the projects chat beforehand - [x] added unit tests - [x] added integration tests - [ ] updated documentation if needed - [x] updated CHANGELOG.md  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-29 02:31:12 +01:00

adam closed this issue

2025-12-29 02:31:12 +01:00

adam referenced this issue

2025-12-29 03:20:25 +01:00

[PR #1682] [CLOSED] Update priavet key lines in config-example.yaml #2251

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1682