| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by kerneis 1281 days ago
	I found the blog post slightly confusing because it never explicitly spells out that endorsing a new node is a manual operation that the administrator has to perform from one of the trusted nodes. Of course this is what you'd want, anything automatic would ruin the purpose of tailnet lock. But still not seeing it mentioned, neither in the text nor in the pictures, made me wonder what I had missed, until I watched the video which features that very step as part of the demo.

2 comments

mdeeks 1281 days ago

I had the same issue. I think the idea is that you build something yourself on a trusted node that decides whether or not to endorse a new node.

Off the top of my head I'd do something dead simple like verify the user account matches our domain and then also query an inventory system to verify it is indeed a device we manage through MDM (though I'm not sure how this will work for mobile devices. We don't MDM those).

When a new device attempts to join you should have some data on it via the API (User, OS, Tailscale version, source IP, machine name). You could use that data to decide to endorse it or not.

link

tailscaletom 1280 days ago

(Tailscalar and a tailnet lock author here)

If you're okay with trusting Tailscale's control plane, we have a feature for exactly this use case! Its called Device Authorization: https://tailscale.com/kb/1099/device-authorization/

You could also use tailnet lock in this fashion, by issuing a `tailscale lock sign` command for the new node once you've verified the provenance of the new device. Because it involves signatures with keys on your device it could never be as simple as a REST API, but maybe we could offer a more easy to automate command or better client library support (suggestions welcome!)

link

tailscaletom 1280 days ago

(Tailscalar and a tailnet lock author here)

Thanks for the feedback!! Writing the documentation for how this worked was a challenge, and its good to hear what pieces we need to call out more strongly in the future.

If you're interested in gory details around tailnet lock internals, we have the beginnings of a whitepaper here: https://tailscale.com/kb/1230/tailnet-lock-whitepaper/

link