starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-03-21 17:09:30 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity
Files
5688c201e95e52bf299b158c65403eb9ed318023
headscale/hscontrol
History
Kristoffer Dalby 5688c201e9 policy/v2: validate SSH source/destination combinations 
Add validation for SSH source/destination combinations that enforces
Tailscale's security model:

- Tags/autogroup:tagged cannot SSH to user-owned devices
- autogroup:self destination requires source to contain only users/groups
- Username destinations require source to be that same single user only
- Wildcard (*) is no longer supported as SSH destination; use
  autogroup:member or autogroup:tagged instead

The validateSSHSrcDstCombination() function is called during policy
validation to reject invalid configurations at load time.

Fixes #3009
Fixes #3010
2026-01-21 17:01:30 +00:00
..
assets
editorconfig: add basic editor config
2025-12-16 10:12:36 +01:00
capver
capver: generate
2025-12-18 10:02:23 +01:00
db
db: use PolicyManager for RequestTags migration
2026-01-21 15:10:29 +01:00
derp
golangci-lint: use forbidigo to block time.Sleep (#2946)
2025-12-10 16:45:59 +00:00
dns
integration: replace time.Sleep with assert.EventuallyWithT (#2680)
2025-07-10 23:38:55 +02:00
mapper
db: use PolicyManager for RequestTags migration
2026-01-21 15:10:29 +01:00
policy
policy/v2: validate SSH source/destination combinations
2026-01-21 17:01:30 +00:00
routes
debug: add json and improve
2025-09-09 09:40:00 +02:00
state
db: use PolicyManager for RequestTags migration
2026-01-21 15:10:29 +01:00
templates
Link to headscale.net for docs
2026-01-16 14:54:04 +01:00
types
hscontrol: fix tag updates not propagating to node self view
2026-01-20 10:13:47 +01:00
util
util/dns: fix variable redeclaration in ValidateDNSName
2026-01-17 10:13:24 +01:00
app.go
app: only wire up debug server if set
2025-12-17 12:32:04 +01:00
auth_tags_test.go
state: disable key expiry for tagged nodes
2026-01-16 17:05:59 +01:00
auth_test.go
state: allow untagging nodes via reauth with empty RequestTags
2026-01-17 10:13:24 +01:00
auth.go
cli: ensure tagged-devices is included in profile list (#2991)
2026-01-09 16:31:23 +01:00
debug.go
lint and leftover
2025-09-09 09:40:00 +02:00
grpcv1_test.go
grpc: support expire/delete API keys by ID
2026-01-20 17:13:38 +01:00
grpcv1.go
grpc: support expire/delete API keys by ID
2026-01-20 17:13:38 +01:00
handlers.go
all: remove deadcode (#2952)
2025-12-10 15:55:15 +01:00
metrics.go
all: remove deadcode (#2952)
2025-12-10 15:55:15 +01:00
noise.go
all: remove deadcode (#2952)
2025-12-10 15:55:15 +01:00
oidc_template_test.go
make tags first class node owner (#2885)
2025-12-02 12:01:25 +01:00
oidc_test.go
oidc: make email verification configurable
2025-12-18 11:42:32 +00:00
oidc.go
oidc: make email verification configurable
2025-12-18 11:42:32 +00:00
platform_config.go
Return better web errors to the user (#2398)
2025-02-01 15:25:18 +01:00
poll.go
all: remove deadcode (#2952)
2025-12-10 15:55:15 +01:00
tailsql.go
integration: replace time.Sleep with assert.EventuallyWithT (#2680)
2025-07-10 23:38:55 +02:00
templates_consistency_test.go
Link to headscale.net for docs
2026-01-16 14:54:04 +01:00