cli: remove node move command #2922
Conversation
This commit removes support for moving nodes between users. The reason for this is that allowing such move is going against a intended design about identity in Tailscale, where your peer has an identity based on their machine, and user id. By allowing the node to be moved, we are breaking this contract, a user might have a peer, and it cannot be trusting who owns this peer as it cant change. This feature should not have been added, and now that Tags are being implemented, essentially representing service account, allowing better seggeration anyways, we will remove it. One of the problems associated with this would be similar to the email takeover on an OIDC platform. Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
|
Just my 2 cents here, but unless using OIDC the owner of the device doesn't have any control over the user that the device is assigned to in the first place. I understand Headscale is an OSS project but I just want to mention not having this command anymore will make my (and I am sure other users as well) experience just a lot harder. I have personally used the aforementioned move command quite a lot. |
It might have been a mistake to include this part, the point of this statement isnt to imply that this is being removed because of OIDC and such, it is just to highlight a similar attack surface. We are removing it because of OIDC or the similar, but because it is a feature that does not align with the security model that Tailscale has, and particularly as a reimplementation, it is so easy to introduce security issues, and this is a step in the direction of minimising the possibility to do that. Instead of moving a device, the correct path is to just reauthenticate it, which is relatively trivial. |
This commit removes support for moving nodes between users.
The reason for this is that allowing such move is going against a intended design about identity in Tailscale, where your peer has an identity based on their machine, and user id. By allowing the node to be moved, we are breaking this contract, a user might have a peer, and it cannot be trusting who owns this peer as it cant change.
This feature should not have been added, and now that Tags are being implemented, essentially representing service account, allowing better seggeration anyways, we will remove it.
One of the problems associated with this would be similar to the email takeover on an OIDC platform.