starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-03-29 13:42:02 +02:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity
Files
5688c201e95e52bf299b158c65403eb9ed318023
headscale/hscontrol/policy
History
Kristoffer Dalby 5688c201e9 policy/v2: validate SSH source/destination combinations 
Add validation for SSH source/destination combinations that enforces
Tailscale's security model:

- Tags/autogroup:tagged cannot SSH to user-owned devices
- autogroup:self destination requires source to contain only users/groups
- Username destinations require source to be that same single user only
- Wildcard (*) is no longer supported as SSH destination; use
  autogroup:member or autogroup:tagged instead

The validateSSHSrcDstCombination() function is called during policy
validation to reject invalid configurations at load time.

Fixes #3009
Fixes #3010
2026-01-21 17:01:30 +00:00
..
matcher
matcher: Add func for comparing Dests and TheInternet
2025-11-02 13:19:59 +01:00
policyutil
make tags first class node owner (#2885)
2025-12-02 12:01:25 +01:00
v2
policy/v2: validate SSH source/destination combinations
2026-01-21 17:01:30 +00:00
pm.go
tags: process tags on registration, simplify policy (#2931)
2025-12-08 18:51:07 +01:00
policy_autoapprove_test.go
make tags first class node owner (#2885)
2025-12-02 12:01:25 +01:00
policy_route_approval_test.go
make tags first class node owner (#2885)
2025-12-02 12:01:25 +01:00
policy_test.go
make tags first class node owner (#2885)
2025-12-02 12:01:25 +01:00
policy.go
policy: fix autogroup:self propagation and optimize cache invalidation (#2807)
2025-10-23 17:57:41 +02:00
route_approval_test.go
policy: add test to confirm group cant approve tag
2025-12-17 09:32:05 +01:00