Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
Moby
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
gossm
💻Interactive CLI tool that you can connect to ec2 using commands same as start-session, ssh in AWS SSM Session Manager
> I know it says it's linux-only right now, but is that client side or server only? Can my Windows users TailSSH into linux boxes?
Linux-only on the server right. macOS support is kinda there (in git) but not entirely done and not included in the GUI builds. Windows server support is tracked in https://github.com/tailscale/tailscale/issues/4697.
You can use any SSH client from any OS.
> Would be cool if somehow it could wedge into sudo auth so you could login as a a user and sudo without password if allowed by ACLs
Some of the start of that is in https://github.com/tailscale/pam
> One thing that has prevented me from trying Tailscale, despite the great word on the street, is I can't figure out pricing, despite contacting sales. I'd like to run it on ~120 dev+stg+prod VMs, with 10 people (devs, testers, ops). I'd like every box to talk over tailscale directly, as an overlay network, but servers I hope aren't users, that'd get expensive fast. But I need more devices than 10/user. I presume "custom" would help with that but I got no reply from sales. We are probably too small fry. Now that I'm typing this, I realize I guess we could just buy ~15-20 users despite needing only 10.
You only pay for unique humans, not tagged role account devices. I wonder if your email got eaten as spam or something. Email me (username at tailscale) and copy sales@ and I'll make sure somebody replies. But I don't think you need a custom plan.
> I think I've resolved myself to setting up Nebula for the server overlay network, and using Tailscale for physical users, with a traditional firewall bridging them.
Hey, if you've got something that works, stick with it. :)
Authelia is the fast minimal solution.
Keycloak offers a much more "roll your own" design.
https://www.authelia.com/
And for anyone looking at Tailscale, I should also mention ZeroTier (https://www.zerotier.com/).
In my opinion they have better tech, but they are pretty bad at packaging it, and bad at making it work for actual use-cases.
Tailscale seems to be much more clever around building out stuff (like this one, SSH) that actually goes all the way for a particular use-case. ZeroTier feels more like a building block, where you need to bring more stuff yourself.
Either way, both are awesome technology and can be really useful!
> is that Teleport gives you transcript-level audit logs of your SSH sessions
That is extremely valuable. Just in case 'transcript-level audit' didn't sink in - not only you can see the all keystrokes typed but you can see all the outputs, the whole state. Someone doing a TOP command for an hour? You can watch the same thing later.
Think asciinema (https://asciinema.org/).
It's not the same, but https://github.com/moby/moby/issues/22054
For what it's worth I encountered the same issue and came up with a solution:
https://github.com/cloudflare/cloudflared/issues/574
Cloudflare have ignored the github issue (which includes a solution) but at least 3 other people seem to have found my solution helpful.
That feature was recently added to SSM https://aws.amazon.com/about-aws/whats-new/2022/05/aws-syste...
Using something like gossm which I just put a PR in for this feature also makes this easier https://github.com/gjbae1212/gossm/pull/54
> I know it says it's linux-only right now, but is that client side or server only? Can my Windows users TailSSH into linux boxes?
Linux-only on the server right. macOS support is kinda there (in git) but not entirely done and not included in the GUI builds. Windows server support is tracked in https://github.com/tailscale/tailscale/issues/4697.
You can use any SSH client from any OS.
> Would be cool if somehow it could wedge into sudo auth so you could login as a a user and sudo without password if allowed by ACLs
Some of the start of that is in https://github.com/tailscale/pam
> One thing that has prevented me from trying Tailscale, despite the great word on the street, is I can't figure out pricing, despite contacting sales. I'd like to run it on ~120 dev+stg+prod VMs, with 10 people (devs, testers, ops). I'd like every box to talk over tailscale directly, as an overlay network, but servers I hope aren't users, that'd get expensive fast. But I need more devices than 10/user. I presume "custom" would help with that but I got no reply from sales. We are probably too small fry. Now that I'm typing this, I realize I guess we could just buy ~15-20 users despite needing only 10.
You only pay for unique humans, not tagged role account devices. I wonder if your email got eaten as spam or something. Email me (username at tailscale) and copy sales@ and I'll make sure somebody replies. But I don't think you need a custom plan.
> I think I've resolved myself to setting up Nebula for the server overlay network, and using Tailscale for physical users, with a traditional firewall bridging them.
Hey, if you've got something that works, stick with it. :)
I appreciate that Tailscale runs the DNS server so it's one less thing for me to manage. Similarly, the built-in LE is just icing on the cake as it's one less thing to think about. Once https://github.com/hassio-addons/addon-tailscale/pull/89 is merged, running Home Assistant on a VPN with a LE certificate, would be such a quick setup for anyone.
Indeed, you can do all that yourself as you point out. Just last night I manually created a public domain to point to a ZeroTier address and ran the Lets Encrypt addon in Home Assistant to generate a certificate via the DNS challenge. Didn't take long, but there were many steps involved (creating a Google Cloud service account and configuring everything).