webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ssh/tailssh: send audit messages on SSH login (Linux)

Browse Source 
Send LOGIN audit messages to the kernel audit subsystem on Linux
when users successfully authenticate to Tailscale SSH. This provides
administrators with audit trail integration via auditd or journald,
recording details about both the Tailscale user (whois) and the
mapped local user account.

The implementation uses raw netlink sockets to send AUDIT_USER_LOGIN
messages to the kernel audit subsystem. It requires CAP_AUDIT_WRITE
capability, which is checked at runtime. If the capability is not
present, audit logging is silently skipped.

Audit messages are sent to the kernel (pid 0) and consumed by either
auditd (written to /var/log/audit/audit.log) or journald (available
via journalctl _TRANSPORT=audit), depending on system configuration.

Note: This may result in duplicate messages on a system where
auditd/journald audit logs are enabled and the system has and supports
`login -h`. Sadly Linux login code paths are still an inconsistent wild
west so we accept the potential duplication rather than trying to avoid
it.

Fixes #18332

Signed-off-by: James Tucker <james@tailscale.com>
This commit is contained in:
James Tucker
2026-01-05 15:18:23 -08:00
committed by James Tucker
parent b7081522e7
commit 39a61888b8
3 changed files with 366 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ssh/tailssh/tailssh.go
+10
View File
@@ -31,6 +31,7 @@ import (
gossh "golang.org/x/crypto/ssh"
"tailscale.com/envknob"
"tailscale.com/feature"
"tailscale.com/ipn/ipnlocal"
"tailscale.com/net/tsaddr"
"tailscale.com/net/tsdial"
@@ -56,6 +57,10 @@ var (
// authentication methods that may proceed), which results in the SSH
// server immediately disconnecting the client.
errTerminal = &gossh.PartialSuccessError{}
// hookSSHLoginSuccess is called after successful SSH authentication.
// It is set by platform-specific code (e.g., auditd_linux.go).
hookSSHLoginSuccess feature.Hook[func(logf logger.Logf, c *conn)]
)
const (
@@ -647,6 +652,11 @@ func (c *conn) handleSessionPostSSHAuth(s ssh.Session) {
ss := c.newSSHSession(s)
ss.logf("handling new SSH connection from %v (%v) to ssh-user %q", c.info.uprof.LoginName, c.info.src.Addr(), c.localUser.Username)
ss.logf("access granted to %v as ssh-user %q", c.info.uprof.LoginName, c.localUser.Username)
if f, ok := hookSSHLoginSuccess.GetOk(); ok {
f(c.srv.logf, c)
}
ss.run()
}