14 comments

  • tptacek an hour ago

    This is such a venerable and ancient class of bugs, going at least as far back as AIX 3. Glad to see they're still makin' 'em like they used to.

    (If you had SSH access to a host in your Tailscale ACL, you could log in as `-i` and get a root login.)

  • doublepg23 34 minutes ago

    I’m a heavy Tailscale user, so I do trust them quite a bit, but I never used the Tailscale SSH feature. I feel like OpenSSH’s security record is pretty unbeatable, not sure why I’d swap over for such a security-sensitive tool.

      jdiff 24 minutes ago

      I've used it before to access my tailnet machines through a browser on a machine I can't download software on.

      bakies 10 minutes ago

      Yeah pretty much just use tailscale as a vpn.. do one thing as they say.

      isatty 23 minutes ago

      Convenience for the most part but in general, I agree. I like having it as an option.

  • modeless 26 minutes ago

    Tailscale SSH has caused me other problems in the past because it takes over port 22. I'm not a fan.

  • e40 an hour ago

    So, giving access via tailscale but using OpenSSH is safe, right?

      lugoues an hour ago

      Yes, this only involves their wrapper that is managed by ACL rules.

  • kbumsik an hour ago

    Why own numbering instead of CVE?

      vngzs 44 minutes ago

      It lets organizations (Tailscale) control the timing and narrative around the disclosure more directly. Organizations sometimes avoid the bureaucracy of going through CVE Numbering Authorities by self-publishing. Often a CVE assignment follows self-disclosure, especially when there's pressure to interoperate with vuln-scanning/compliance tooling

  • cyberax 42 minutes ago

    > "Tailscale SSH now rejects usernames with leading dashes."

    Really? That's the fix?

    A proper fix is to use "--" to separate arguments.

      valleyer 15 minutes ago

      A proper fix is not to shell out to a command at all; use getpwnam(3) or similar.

      sedatk 39 minutes ago

      Their fix just future-proofs it in case the same bug gets reintroduced.

        cyberax 12 minutes ago

        This is just a dirty fix. It adds weird restrictions and masks issues.

        Refactoring external invocations to use safe argument handling is a better way to fix it. Along with tests that exercise weird names.