Making an SSH client the hard way

&gt; To make this possible, we ported the following to WebAssembly: the Tailscale client, WireGuard®, a complete userspace network stack (from gVisor), and an SSH client.<p>Would it be possible to bundle the same into a portable application allowing you to use Tailscale without installing it? My understanding is that currently if you can&#x27;t install Tailscale on a client you need to use Subnet Router. <a href="https:&#x2F;&#x2F;tailscale.com&#x2F;kb&#x2F;1109&#x2F;devices-without-tailscale&#x2F;" rel="nofollow">https:&#x2F;&#x2F;tailscale.com&#x2F;kb&#x2F;1109&#x2F;devices-without-tailscale&#x2F;</a>

Could the Tailscale client be packaged as an extension so I can visit sites on my Tailnet without having to install a client? Sometimes I want to visit a &quot;internal&quot; site without having to install the client, if I&#x27;m using a temporary box for something. I&#x27;m not sure how much more work would have to be done, might have to dig into the open source pieces of this.

This is really cool and fun, but is this a safe way to run SSH clients?<p>If, say, the adblock Chrome extension you&#x27;re using gets bought by a malware operator and backdoored[0], now it also has SSH and VPN access.<p>[0]: <a href="https:&#x2F;&#x2F;www.wired.co.uk&#x2F;article&#x2F;fake-chrome-extensions-malware" rel="nofollow">https:&#x2F;&#x2F;www.wired.co.uk&#x2F;article&#x2F;fake-chrome-extensions-malwa...</a>

&gt;To make this possible, we ported the following to WebAssembly: the Tailscale client, WireGuard®, a complete userspace network stack (from gVisor), and an SSH client.<p>Wow, and they&#x27;re proud of it.

Cool feature! I was just looking at boringtun last night and wondering if it could compile to WASM, to get a virtualized network interface in the browser.<p>Did you experiment with the new WebTransport API [0] at all? It&#x27;s only supported in Chromium browsers, but seems promising for this kind of use case.<p>[0] <a href="https:&#x2F;&#x2F;chromestatus.com&#x2F;feature&#x2F;4854144902889472" rel="nofollow">https:&#x2F;&#x2F;chromestatus.com&#x2F;feature&#x2F;4854144902889472</a>

I can&#x27;t shake the feeling that Tailscale&#x27;s SSH authentication mechanism is at the wrong layer of the stack. It appears to work by looking at the (source, dest) IP address pair and mapping that to a Tailscale identity. But this may mean that any user or anyone who can initiate TCP connections from an authenticated user&#x27;s IP can authenticate to the destination over Tailscale SSH.<p>If Tailscale&#x27;s client was a userspace construct bound to a specific user SSH program, maybe fine. But Tailscale&#x27;s client is a regular VPN client. What happens if you connect to the Tailscale VPN, open a malicious but sandboxed app of some sort, and that app connects to the target on TCP port 22.<p>For all that it&#x27;s a seriously unfinished product, Cloudflare&#x27;s SSH offering seems better thought out. Perhaps Tailscale should find a way to issue a short-lived certificate and use that in addition?<p>(It looks like regular sshd could <i>almost</i> be convinced to handle this. If the SSH_CONNECTION environment variable were passed to the AuthorizedPrincipalsCommand helper or if the source and destination were available as &#x27;%&#x27; tokens, then AuthorizedPrincipalsCommand could do the Tailscale tuple lookup and use it as a second factor in addition to a short-lived certificate (or regular SSH key or whatever). I bet openssh would accept a patch for this.)

This significantly increases the threat model for your remote servers to include all sorts of remote attacks through the web, including:<p><pre><code> * garden-variety web attacks (i.e., XSS, CRSF, etc) * attacks that might become viable against the browser (for example, Mobile Safari has a history of vulnerabilities) * various attacks against the backend web server (API attacks) * attacks against the WASM layer * CDN injections * Tailscale&#x27;s backend (various types of injections, timing attacks, or deeper attacks on Tailscale&#x27;s infrastructure like the nightmares of HeartBleed, Shellshock, Meltdown, etc) </code></pre> That&#x27;s probably a very incomplete list.<p>Realistically, this essentially (actually, literally) <i>opens a remote root shell into your entire infrastructure through a web page</i>, with apparently nothing more than matching an IP address pair (<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33361837" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33361837</a>) to authenticate.<p>What could go wrong?<p>This design with its <i>loose</i> coupling between authenticated user and IP addresses for high-value targets makes me view Tailscale&#x27;s security model in a whole new light.

I wouldn&#x27;t be the target market for this, however more power to them. I understand that to an extent we should never roll our own, so to speak, however, I think that we should not put all of our eggs in one basket. In that regard, I think that once the beginning kinks are ironed out it will be a better thing and we should ultimately embrace these types of endeavors.<p>Let me say again, though I admire it, I&#x27;d never use this. I like to sleep soundly, as irrational as that may be.

I just learned there&#x27;s a POSIX kernel in Go that can actually run apps. <a href="https:&#x2F;&#x2F;www.usenix.org&#x2F;conference&#x2F;osdi18&#x2F;presentation&#x2F;cutler" rel="nofollow">https:&#x2F;&#x2F;www.usenix.org&#x2F;conference&#x2F;osdi18&#x2F;presentation&#x2F;cutler</a><p>I think this should be compiled with WASM and deployed via web page. Then we can explore the idea of browser-hosted POSIX kernels.

&gt; To make this possible, we ported the following to WebAssembly: the Tailscale client, WireGuard®, a complete userspace network stack (from gVisor), and an SSH client.<p>I love that they were clearly inspired by fly.io. Warms my heart that a random blog post with a good idea can spread like this.

Hi Mihai! Great work! I would love to see where this goes!<p>Forgive my ignorance but is there any sort of native client besides the browser running in the background to help with websocket to tcp? Or a tunnel to a cloud service to help there?

In the old days, people said you shouldn&#x27;t write crypto in JavaScript because it was somehow insecure. Have those concerns gone away with WebAssembly and https everywhere?

Interesting, I could see this as a nice replacement for Gravitational Teleport.<p>One of the things that Teleport lacks (IMO) is Wireguard

Will Tailscale SSH support FreeBSD any time soon?

But can it run emacs?

Most of the products from tailscale just seem to be &quot;look at the inner platforms we can build that replace the outer platforms&quot;.<p>Having an SSH client in your browser join your VPN violates all the principles of modern computing.