README
¶
tailscale-ssh-exec
A program to wrap shell access via Tailscale SSH to restrict the commands that can be run based on the remote Tailscale user that is connecting.
Usage
-
Build the
tailscale-ssh-execbinary withGOOS=linux go build -o tailscale-ssh-exec main.go. -
Install the
tailscale-ssh-execbinary from the previous step andtailscale-ssh-exec.shsomewhere on your server - i.e./usr/local/bin/. -
Ensure both files are readable and executable by any user.
chmod 755 /usr/local/bin/tailscale-ssh-exec /usr/local/bin/tailscale-ssh-exec.sh -
Modify
/etc/passwdon your server to runtailscale-ssh-exec.shas the shell for users you need to control commands for.hg:x:1001:1001::/home/hg:/usr/local/bin/tailscale-ssh-exec.sh -
Restrict port forwading, sftp, and pty via Tailscale environment variables available in an unstable release 1.53.120 or later. Typically you would do this by adding the following to
/etc/default/tailscaledwith:TS_SSH_DISABLE_SFTP=true TS_SSH_DISABLE_FORWARDING=true TS_SSH_DISABLE_PTY=true -
Create a CSV that maps Tailscale login names to the specific command and arguments to run for each user.
user1@example.com,/usr/bin/echo Hi user1 user2@example.com,/usr/bin/hg-ssh /home/hg/repo -
Modify
tailscale-ssh-exec.shto specify the CSV file from the previous step and customize any additional arguments totailscale-ssh-exec- e.g.-vto enable verbose logging; helpful for troubleshooting during set up.
#!/bin/sh
/usr/local/bin/tailscale-ssh-exec \
"$@" \
-tailscale-ssh-exec-user-commands-file /tmp/example-user-to-commands.csv \
-tailscale-ssh-exec-verbose
Documentation
¶
There is no documentation for this package.
Source Files