tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	001f482aca	net/dns: make "direct" mode on Linux warn on resolv.conf fights Run an inotify goroutine and watch if another program takes over /etc/inotify.conf. Log if so. For now this only logs. In the future I want to wire it up into the health system to warn (visible in "tailscale status", etc) about the situation, with a short URL to more info about how you should really be using systemd-resolved if you want programs to not fight over your DNS files on Linux. Updates #4254 etc etc Change-Id: I86ad9125717d266d0e3822d4d847d88da6a0daaa Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	6aab4fb696	cmd/tailscale/cli: start making cert output support pkcs12 (p12) output If the --key-file output filename ends in ".pfx" or ".p12", use pkcs12 format. This might not be working entirely correctly yet but might be enough for others to help out or experiment. Updates #2928 Updates #5011 Change-Id: I62eb0eeaa293b9fd5e27b97b9bc476c23dd27cf6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Pat Maddox	9bf3ef4167	ssh/tailssh: add Tailscale SSH (server) support on FreeBSD Change-Id: I607194b6ef99205e777f3df93a74ffe1a2e0344c Signed-off-by: Pat Maddox <pat@ratiopbc.com>	2 years ago
David Anderson	76904b82e7	cmd/containerboot: PID1 for running tailscaled in a container. This implements the same functionality as the former run.sh, but in Go and with a little better awareness of tailscaled's lifecycle. Also adds TS_AUTH_ONCE, which fixes the unfortunate behavior run.sh had where it would unconditionally try to reauth every time if you gave it an authkey, rather than try to use it only if auth is actually needed. This makes it a bit nicer to deploy these containers in automation, since you don't have to run the container once, then go and edit its definition to remove authkeys. Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	a0ed2c2eb5	go.mod: bump golang-x-crypto Fixes #5533 Change-Id: I403de0e9ed5a9a63055242a86720d6f4e0899af7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Joe Tsai	b2035a1dca	cmd/netlogfmt: handle any stream of network logs (#6108 ) Make netlogfmt useful regardless of the exact schema of the input. If a JSON object looks like a network log message, then unmarshal it as one and then print it. This allows netlogfmt to support both a stream of JSON objects directly serialized from netlogtype.Message, or the schema returned by the /api/v2/tailnet/{{tailnet}}/network-logs API endpoint. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Joe Tsai	c21a3c4733	types/netlogtype: new package for network logging types (#6092 ) The netlog.Message type is useful to depend on from other packages, but doing so would transitively cause gvisor and other large packages to be linked in. Avoid this problem by moving all network logging types to a single package. We also update staticcheck to take in: `003d277bcf` Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	e24de8a617	ssh/tailssh: add password-forcing workaround for buggy SSH clients If the username includes a suffix of +password, then we accept password auth and just let them in like it were no auth. This exists purely for SSH clients that get confused by seeing success to their initial auth type "none". Co-authored-by: Maisem Ali <maisem@tailscale.com> Change-Id: I616d4c64d042449fb164f615012f3bae246e91ec Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	4de1601ef4	ssh/tailssh: add support for sending multiple banners Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	b1bd96f114	go.mod, ssh/tailssh: fix ImplictAuthMethod typo Fixes #5745 Change-Id: Ie8bc88bd465a9cb35b0ae7782d61ce96480473ee Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Florian Lehner	7e0ffc17fd	Address GO-2022-0969 HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service. Signed-off-by: Florian Lehner <dev@der-flo.net>	2 years ago
Florian Lehner	17348915fa	Address GO-2020-0042 Due to improper path santization, RPMs containing relative file paths can cause files to be written (or overwritten) outside of the target directory. Signed-off-by: Florian Lehner <dev@der-flo.net>	2 years ago
Brad Fitzpatrick	56f6fe204b	go.mod, wgengine/wgint: bump wireguard-go For `b51010ba13` Change-Id: Ibf767dfad98aef7e9f0505d91c0d26f924e046d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	9bd9f37d29	go.mod: bump wireguard/windows, which moves to using net/netip Updates #5162 Change-Id: If99a3f0000bce0c01bdf44da1d513f236fd7cdf8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
dependabot[bot]	9996d94b3c	build(deps): bump github.com/u-root/u-root from 0.8.0 to 0.9.0 Bumps [github.com/u-root/u-root](https://github.com/u-root/u-root) from 0.8.0 to 0.9.0. - [Release notes](https://github.com/u-root/u-root/releases) - [Changelog](https://github.com/u-root/u-root/blob/main/RELEASES) - [Commits](https://github.com/u-root/u-root/compare/v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: github.com/u-root/u-root dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2 years ago
Mihai Parparita	ab159f748b	cmd/tsconnect: switch UI to Preact Reduces the amount of boilerplate to render the UI and makes it easier to respond to state changes (e.g. machine getting authorized, netmap changing, etc.) Preact adds ~13K to our bundle size (5K after Brotli) thus is a neglibible size contribution. We mitigate the delay in rendering the UI by having a static placeholder in the HTML. Required bumping the esbuild version to pick up evanw/esbuild#2349, which makes it easier to support Preact's JSX code generation. Fixes #5137 Fixes #5273 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Maisem Ali	eb32847d85	tailcfg: add CapabilityFileSharingTarget to identify FileTargets This adds the inverse to CapabilityFileSharingSend so that senders can identify who they can Taildrop to. Updates #2101 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	5d0e3d379c	go.mod: bump gvisor For https://github.com/google/gvisor/pull/7850 to quiet macOS warnings. Updates #5240 Change-Id: Iaa7abab20485c8ff40e5c9b16013aef4fd297a64 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	acc3b7f259	go.mod: bump inet.af/wf, tidy This removes inet.af/netaddr from go.{mod,sum}. Updates #5162 Change-Id: I7121e9fbb96d036cf188c51f0b53731570252d69 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7eaf5e509f	net/netaddr: start migrating to net/netip via new netaddr adapter package Updates #5162 Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	9514ed33d2	go.mod: bump gvisor.dev/gvisor Pick up https://github.com/google/gvisor/pull/7787 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Mihai Parparita	6f5096fa61	cmd/tsconnect: initial scaffolding for Tailscale Connect browser client Runs a Tailscale client in the browser (via a WebAssembly build of the wasm package) and allows SSH access to machines. The wasm package exports a newIPN function, which returns a simple JS object with methods like start(), login(), logout() and ssh(). The golang.org/x/crypto/ssh package is used for the SSH client. Terminal emulation and QR code renedring is done via NPM packages (xterm and qrcode respectively), thus we also need a JS toolchain that can install and bundle them. Yarn is used for installation, and esbuild handles loading them and bundling for production serving. Updates #3157 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Xe Iaso	004f0ca3e0	cmd/gitops-pusher: format HuJSON, enabling exact ACL matches (#5061 ) Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Tom DNetto	1cfd96cdc2	tka: implement AUM and Key types This is the first in a series of PRs implementing the internals for the Tailnet Key Authority. This PR implements the AUM and Key types, which are used by pretty much everything else. Future PRs: - The State type & related machinery - The Tailchonk (storage) type & implementation - The Authority type and sync implementation Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	c93fd0d22b	go.mod: bump wireguard-go to set CLOEXEC on tun/netlink fds To get: `c31a7b1ab4` Diff: `95b48cdb39..c31a7b1ab4` Fixes #4992 Change-Id: I077586fefcde923a2721712dd54548f97d010f72 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	6b71568eb7	util/cloudenv: add Azure support & DNS IPs And rewrite cloud detection to try to do only zero or one metadata discovery request for all clouds, only doing a first (or second) as confidence increases. Work remains for Windows, but a start. And add Cloud to tailcfg.Hostinfo, which helped with testing using "tailcfg debug hostinfo". Updates #4983 (Linux only) Updates #4984 Change-Id: Ib03337089122ce0cb38c34f724ba4b4812bc614e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	88c2afd1e3	ipn/ipnlocal, net/dns, util/cloudenv: specialize DNS config on Google Cloud This does three things: If you're on GCP, it adds a .internal DNS split route to the metadata server, so we never break GCP DNS names. This lets people have some Tailscale nodes on GCP and some not (e.g. laptops at home) without having to add a Tailnet-wide .internal DNS route. If you already have such a route, though, it won't overwrite it. * If the 100.100.100.100 DNS forwarder has nowhere to forward to, it forwards it to the GCP metadata IP, which forwards to 8.8.8.8. This means there are never errNoUpstreams ("upstream nameservers not set") errors on GCP due to e.g. mangled /etc/resolv.conf (GCP default VMs don't have systemd-resolved, so it's likely a DNS supremacy fight) * makes the DNS fallback mechanism use the GCP metadata IP as a fallback before our hosted HTTP-based fallbacks I created a default GCP VM from their web wizard. It has no systemd-resolved. I then made its /etc/resolv.conf be empty and deleted its GCP hostnames in /etc/hosts. I then logged in to a tailnet with no global DNS settings. With this, tailscaled writes /etc/resolv.conf (direct mode, as no systemd-resolved) and sets it to 100.100.100.100, which then has regular DNS via the metadata IP and .internal DNS via the metadata IP as well. If the tailnet configures explicit DNS servers, those are used instead, except for .internal. This also adds a new util/cloudenv package based on version/distro where the cloud type is only detected once. We'll likely expand it in the future for other clouds, doing variants of this change for other popular cloud environments. Fixes #4911 RELNOTES=Google Cloud DNS improvements Change-Id: I19f3c2075983669b2b2c0f29a548da8de373c7cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	22c544bca7	go.mod: bump go4.org/unsafe/assume-no-moving-gc for Go 1.19beta1 Otherwise we crash at startup with Go 1.19beta1. Updates #4872 Change-Id: I371df4146735f7e066efd2edd48c1a305906c13d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	bf2fa7b184	go.mod: pin github.com/tailscale/mkctr (try #2 ) Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	81487169f0	build_docker.sh: pin github.com/tailscale/mkctr Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
James Tucker	87b44aa311	go.mod: bump golang.org/x/sys for CVE-2022-29526 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Joe Tsai	741ae9956e	tstest/integration/vms: use hujson.Standardize instead of hujson.Unmarshal (#4520 ) The hujson package transition to just being a pure AST parser and formatter for HuJSON and not an unmarshaler. Thus, parse HuJSON as such, convert it to JSON, and then use the standard JSON unmarshaler. Signed-off-by: Joe Tsai <joetsai@digital-static.net>	2 years ago
Brad Fitzpatrick	6f5b91c94c	go.mod: tidy Change-Id: If3b5fe42e7dd7858dcce02a3a24a5e59736815a2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	c88506caa6	ipn/ipnlocal: add Wake-on-LAN function to peerapi No CLI support yet. Just the curl'able version if you know the peerapi port. (like via a TSMP ping) Updates #306 Change-Id: I0662ba6530f7ab58d0ddb24e3664167fcd1c4bcf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	90b5f6286c	cmd/tailscale: use double quotes in the ssh subcommands Single-quote escaping is insufficient apparently. Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	53588f632d	Revert "wgengine/router,util/kmod: load & log xt_mark" This reverts commit `8d6793fd70`. Reason: breaks Android build (cgo/pthreads addition) We can try again next cycle. Change-Id: I5e7e1730a8bf399a8acfce546a6d22e11fb835d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	8d6793fd70	wgengine/router,util/kmod: load & log xt_mark Attempt to load the xt_mark kernel module when it is not present. If the load fails, log error information. It may be tempting to promote this failure to an error once it has been in use for some time, so as to avoid reaching an error with the iptables invocation, however, there are conditions under which the two stages may disagree - this change adds more useful breadcrumbs. Example new output from tailscaled running under my WSL2: ``` router: ensure module xt_mark: "/usr/sbin/modprobe xt_mark" failed: exit status 1; modprobe: FATAL: Module xt_mark not found in directory /lib/modules/5.10.43.3-microsoft-standard-WSL2 ``` Background: There are two places to lookup modules, one is `/proc/modules` "old", the other is `/sys/module/` "new". There was query_modules(2) in linux <2.6, alas, it is gone. In a docker container in the default configuration, you would get /proc/modules and /sys/module/ both populated. lsmod may work file, modprobe will fail with EPERM at `finit_module()` for an unpriviliged container. In a priviliged container the load may succeed, if some conditions are met. This condition should be avoided, but the code landing in this change does not attempt to avoid this scenario as it is both difficult to detect, and has a very uncertain impact. In an nspawn container `/proc/modules` is populated, but `/sys/module` does not exist. Modern `lsmod` versions will fail to gather most module information, without sysfs being populated with module information. In WSL2 modules are likely missing, as the in-use kernel typically is not provided by the distribution filesystem, and WSL does not mount in a module filesystem of its own. Notably the WSL2 kernel supports iptables marks without listing the xt_mark module in /sys/module, and /proc/modules is empty. On a recent kernel, we can ask the capabilities system about SYS_MODULE, that will help to disambiguate between the non-privileged container case and just being root. On older kernels these calls may fail. Update #4329 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Maisem Ali	2b8b887d55	ssh/tailssh: send banner messages during auth, move more to conn (VSCode Live Share between Brad & Maisem!) Updates #3802 Change-Id: Id8edca4481b0811debfdf56d4ccb1a46f71dd6d3 Co-Authored-By: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	14d077fc3a	ssh/tailssh: terminate ssh auth early if no policy can match Also bump github.com/tailscale/golang-x-crypto/ssh Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
James Tucker	67192a2323	go.mod: bump u-root We only use the termios subpackage, so we're unaffected by CVE-2020-7665, but the bump will let dependabot return to slumber. Fixes https://github.com/tailscale/tailscale/security/dependabot/2 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Xe Iaso	4f1d6c53cb	cmd/nginx-auth: create new Tailscale NGINX auth service (#4400 ) This conforms to the NGINX subrequest result authentication protocol[1] using the NGINX module `ngx_http_auth_request_module`. This is based on the example that @peterkeen provided on Twitter[2], but with several changes to make things more tightly locked down: * This listens over a UNIX socket instead of a TCP socket to prevent leakage to the network * This uses systemd socket activation so that systemd owns the socket and can then lock down the service to the bare minimum required to do its job without having to worry about dropping permissions * This provides additional information in HTTP response headers that can be useful for integrating with various services * This has a script to automagically create debian and redhat packages for easier distribution This will be written about on the Tailscale blog. There is more information in README.md. [1]: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ [2]: https://github.com/peterkeen/tailscale/blob/main/cmd/nginx-auth-proxy/nginx-auth-proxy.go Signed-off-by: Xe Iaso <xe@tailscale.com>	2 years ago
Brad Fitzpatrick	09c5c9eb83	go.mod: bump x/tools for go/packages generics fix Updates #4194 Change-Id: Ia992ffb14210d5ad53f8f98d12b80d64080998e6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
James Tucker	8226f1482c	go.mod: bump rtnetlink for address label encoding (#4386 ) This will enable me to land tests for the upcoming monitor change in PR #4385. Update #4385 Update #4282 Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
James Tucker	2550acfd9d	go.mod: bump netstack for clone reset fix (#4379 ) In tracking down issue #4144 and reading through the netstack code in detail, I discovered that the packet buf Clone path did not reset the packetbuf it was getting from the sync.Pool. The fix was sent upstream https://github.com/google/gvisor/pull/7385, and this bump pulls that in. At this time there is no known path that this fixes, however at the time of upstream submission this reset at least one field that could lead to incorrect packet routing if exercised, a situation that could therefore lead to an information leak. Signed-off-by: James Tucker <james@tailscale.com>	2 years ago
Xe Iaso	55161b3d92	cmd/mkpkg: use package flag (#4373 ) Also removes getopt Signed-off-by: Xe <xe@tailscale.com>	2 years ago
Matt Layher	c79c72c4fc	go.mod: github.com/mdlayher/sdnotify@v1.0.0 Signed-off-by: Matt Layher <mdlayher@gmail.com>	2 years ago
Maisem Ali	ac2033d98c	go.mod: bump staticcheck (#4359 ) Updates #4194 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	3d180c0376	go.mod, ssh/tailssh, tempfork/gliderlabs: bump x/crypto/ssh fork for NoClientAuthCallback Prep for evaluating SSHPolicy earlier to decide whether certs are required, which requires knowing the target SSH user. Updates #3802 Change-Id: I2753ec8069e7f19c9121300d0fb0813c1c627c36 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	5a44f9f5b5	tempfork: temporarily fork gliderlabs/ssh and x/crypto/ssh While we rearrange/upstream things. gliderlabs/ssh is forked into tempfork from our prior fork at `be8b7add40` x/crypto/ssh OTOH is forked at https://github.com/tailscale/golang-x-crypto because it was gnarlier to vendor with various internal packages, etc. Its git history shows where it starts (2c7772ba30643b7a2026cbea938420dce7c6384d). Updates #3802 Change-Id: I546e5cdf831cfc030a6c42557c0ad2c58766c65f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	8294915780	cmd/tailscale/cli: add start of 'ssh' subcommand Updates #3802 Change-Id: Iabc07c00c7e4f43944cfe7daec8d2b66ac002289 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago

1 2 3 4 5 ...

294 Commits (b94b91c1689954542a783fa58386008fecb623bf)