Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Headscale logs in user A with user B's auth key #1885

Closed
fredrikekre opened this issue Apr 17, 2024 · 2 comments · Fixed by #1920
Closed

Headscale logs in user A with user B's auth key #1885

fredrikekre opened this issue Apr 17, 2024 · 2 comments · Fixed by #1920
Labels
bug Something isn't working
Milestone
v0.23.0

Comments

@fredrikekre
Copy link

fredrikekre commented Apr 17, 2024
edited
Loading

Bug description

Logging in a node with a preauthkey logs in as the previous user that was logged in on the same node, i.e. after performing the following three steps on the same node:

  1. Login with user A's key
  2. Logout A
  3. Login with user B's key

the result is that user A is logged in even though user B's key is used. See full terminal session with the steps to reproduce below. I noticed this with release 0.22.3 when changing the user for some nodes and although the new key was used the same old user was still logged in. The MWE below is with v0.23.0-alpha7.

Environment

  • OS: Ubuntu 22.04
  • Headscale version: v0.23.0-alpha7
  • Tailscale version: 1.64.0

To Reproduce

Install headscale on a clean machine (i.e. no existing config or database)

$ sudo apt install ./headscale_0.23.0-alpha7_linux_amd64.deb
[...]

$ sudo systemctl enable headscale

$ sudo systemctl start headscale

Create users foo and bar with associated keys:

$ sudo headscale users create foo

$ sudo headscale users create bar

$ sudo headscale preauthkeys create --user foo --reusable
73c546e371611141ef442e7aeaff918734708124072d530f

$ sudo headscale preauthkeys create --user bar --reusable
6b00073a57c0828e2cb5dcb4c64e2eef6de0972507f6478c

Login using foo's key works as expected:

$ sudo tailscale up --reset --login-server=http://localhost:8080 --auth-key=73c546e371611141ef442e7aeaff918734708124072d530f

$ tailscale status
100.64.0.1      myhost               foo          linux   -

$ sudo headscale nodes list
ID | Hostname | Name   | MachineKey | NodeKey | User | IP addresses                  | Ephemeral | Last seen           | Expiration          | Connected | Expired
1  | myhost   | myhost | [Rl+ED]    | [YHvFJ] | foo  | 100.64.0.1, fd7a:115c:a1e0::1 | false     | 2024-04-17 14:09:32 | 0001-01-01 00:00:00 | online    | no

Logout foo and login with bar's key:

$ sudo tailscale logout

$ sudo tailscale up --reset --login-server=http://localhost:8080 --auth-key=6b00073a57c0828e2cb5dcb4c64e2eef6de0972507f6478c

Even though the key belongs to bar we are logged in as foo according to both client and server:

$ tailscale status
100.64.0.1      myhost               foo          linux   -

$ sudo headscale nodes list
ID | Hostname | Name   | MachineKey | NodeKey | User | IP addresses                  | Ephemeral | Last seen           | Expiration          | Connected | Expired
1  | myhost   | myhost | [Rl+ED]    | [UgilM] | foo  | 100.64.0.1, fd7a:115c:a1e0::1 | false     | 2024-04-17 14:10:17 | 0001-01-01 00:00:00 | online    | no

Both keys are marked as used:

$ sudo headscale preauthkeys list -u foo
ID | Key                                              | Reusable | Ephemeral | Used | Expiration          | Created             | Tags
1  | 73c546e371611141ef442e7aeaff918734708124072d530f | true     | false     | true | 2024-04-17 15:07:54 | 2024-04-17 14:07:54 |

$ sudo headscale preauthkeys list -u bar
ID | Key                                              | Reusable | Ephemeral | Used | Expiration          | Created             | Tags
2  | 6b00073a57c0828e2cb5dcb4c64e2eef6de0972507f6478c | true     | false     | true | 2024-04-17 15:07:58 | 2024-04-17 14:07:58 |

Logs and attachments

  • ACL configuration: N/A
  • Headscale configuration: Default /etc/headscale/config.yml installed with .deb.
@fredrikekre fredrikekre added the bug Something isn't working label Apr 17, 2024
@kradalby kradalby added this to the v0.23.0 milestone Apr 18, 2024
kradalby added a commit to kradalby/headscale that referenced this issue May 1, 2024
@kradalby
add test case to reproduce juanfont#1885
2582f7f 
Signed-off-by: Kristoffer Dalby <[email protected]>
kradalby added a commit to kradalby/headscale that referenced this issue May 1, 2024
@kradalby
fix preauth key issue logging in as wrong user
d16a9a0 
Fixes juanfont#1885

Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby kradalby mentioned this issue May 1, 2024
Merged
kradalby added a commit that referenced this issue May 2, 2024
@kradalby
fix preauth key logging in as previous user (#1920)
1c6bfc5 
* add test case to reproduce #1885

Signed-off-by: Kristoffer Dalby <[email protected]>

* fix preauth key issue logging in as wrong user

Fixes #1885

Signed-off-by: Kristoffer Dalby <[email protected]>

* add test to gh

Signed-off-by: Kristoffer Dalby <[email protected]>

---------

Signed-off-by: Kristoffer Dalby <[email protected]>
@fredrikekre
Copy link
Author

Thanks for the fix!

@ItsShadowCone
Copy link

Is this possibly a dupe previously reported in #1310? Does the fix affect both?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v0.23.0
Development

Successfully merging a pull request may close this issue.

fix preauth key logging in as previous user kradalby/headscale
3 participants
@kradalby @fredrikekre @ItsShadowCone