Preauth keys for different users

[QZAiXH]

Bug description
I have two preauth keys A and B, and a new client. I first use A to join headscale and this client successfully joins user A. After that I use B on the client and the client does not switch to user B, it is still on A. Is this correct?

[ItsShadowCone]

Furthermore fast account switching with multiple users on the same headscale instance is currently not working (afaict).

I suspect the same reason under the hood, headscale might be using the machine id/key for a more unique identifier than it should be.

I tested:

• joining via preauth key, subsequent login via preauth key for second user -> no user switch, no second account, just a renegotiation of node key
• joining via preauth key, subsequent login via OIDC -> oidc fails, in the log i see could not register machine error="machine was previously registered with a different user"
• joining via OIDC, subsequent login via preauth key -> same as Bump websocket-extensions from 0.1.3 to 0.1.4 in /frontend #1. preauth key changes nothing, except for the node key.

[pallabpain]

You should be able to fast-switch users seamlessly if you do the following after logging in with preauth key A.

tailscale logout
tailscale down

tailscale up --auth-key preauthkey-B ... 

I've written an implementation that does exactly this in one of the projects that I am working on.

[ItsShadowCone]

I tried it today on headscale 0.21.0 and it does not work. tailscale switch --list only shows a single user.

[Carseason]

me to

[github-actions]

This issue is stale because it has been open for 180 days with no activity.

[ItsShadowCone]

i believe it is still relevant however

[github-actions]

This issue is stale because it has been open for 90 days with no activity.

[ItsShadowCone]

Did anyone test this for v0.23.0?

[github-actions]

This issue is stale because it has been open for 90 days with no activity.

[kradalby]

Furthermore fast account switching with multiple users on the same headscale instance is currently not working (afaict).

I suspect the same reason under the hood, headscale might be using the machine id/key for a more unique identifier than it should be.

Are you trying to login to the same headscale with the same node twice?

So [node a, login 1] and [node a, login 2] is both in your fast user switching menu and as two nodes in headscale?

Does Tailscale SaaS support this?

[ItsShadowCone]

See my response in #1920

I think the whole point in fast user switching @ tailscale SaaS is same node multiple logins.

[github-actions]

This issue is stale because it has been open for 90 days with no activity.

[ItsShadowCone]

Can we confirm that this bug is either still existing or fixed in the latest beta?

[stormshield-gt]

I can confirm that the bug is still present is the latest published image 2 months ago: sha256:392237fecf911ff101f56d92dbb2529eb8a1f065bdbdcd73744565c6e0744bad
When login with a new user it creates a new profile in tailscaled.state but also set the old one to null

[stormshield-gt]

I can also confirm that switching between users of the same tailnet is officially supported by tailscale SaaS.
From the docs:

You aren't prevented from switching between accounts in the same tailnet. If you don't want to switch between accounts in the same tailnet, re-authenticate the device instead of switching between accounts.