mirror of
https://github.com/juanfont/headscale.git
synced 2026-01-23 02:24:10 +00:00
CHANGELOG: add SSH policy breaking change for 0.28.0
Document that SSH rules now validate src/dst combinations following Tailscale's policy rules. Policies with tag->user or group->user SSH rules are now rejected at load time. Updates #3010
This commit is contained in:
Kristoffer Dalby
parent
7dd299b683
commit
dce7ac0b4b
1 changed files with 4 additions and 0 deletions
|
|
@ -87,6 +87,10 @@ sequentially through each stable release, selecting the latest patch version ava
|
|||
address in the user profile. This is now rejected during authentication with an `unverified email` error.
|
||||
- When `false`, unverified emails are allowed for OIDC authentication and the email address is stored in the user
|
||||
profile regardless of its verification state.
|
||||
- **SSH Policy**: SSH rules now validate that when destination contains a username, source must contain only the same username [#3018](https://github.com/juanfont/headscale/pull/3018)
|
||||
- Previously accepted policies with `src: ["tag:foo"]` and `dst: ["user@"]` are now rejected
|
||||
- This aligns with Tailscale's policy: tagged devices cannot SSH to user-owned devices
|
||||
- Error message: "users in dst are only allowed from the same user"
|
||||
|
||||
### Changes
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue