Vaguely related - there’s still no easy way to get at the email/user name of a user using tailscale ssh right? This is one of the things I really liked about teleport, you could use it to properly attribute git commits on shared machines, without any special setup on the user side.
No, for disambiguating between multiple users logging into one shared account. Basically, I'd need for tailscale to inject an env variable into the session. Teleport does this with something like SSH_TELEPORT_USER (I don't have access to a teleport instance right now to check the exact name, sorry). It's not really for security purposes (anyone can spoof any env variable they like, anyhow), just for convenience for helper scripts. In robotics it's super common to have just one or two users per machine, and give shared logins to those machines.
While I have you here, it would also be neat if there were a way to supplement regular SSH's auth with tailscale SSH's keys. Specifically for situations where the target machine has lost internet connectivity but you can still get onto the same network as it. More robotics problems. :) Can understand if this would never "work" for tailscale's auth model.
Yeah this is all great feedback, thanks. Makes sense about the env var!
On the second item- this is interesting. I definitely see the reason for asking :) We actually don’t use SSH keys for Tailscale SSH, since the auth is handled within Tailscale (more info at https://tailscale.com/kb/1193/tailscale-ssh#authentication-a...). I’ll think more about this. Do you have a break-glass setup with a normal SSH key for this today?
