From ea52cbb28855204d0daed3ce93729f9e7927969a Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Tue, 12 May 2026 21:05:13 +0000 Subject: [PATCH] CHANGELOG: document sshTests evaluation (beta) --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 496c1fe2..527f8d2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,6 +44,10 @@ This feature is **beta** while behavioural coverage against Tailscale SaaS broad [#3229](https://github.com/juanfont/headscale/pull/3229) +### SSH policy tests (beta) + +`sshTests` policy assertions are now evaluated at write boundaries. Operators writing `"sshTests": [{"src": "alice@example.com", "dst": ["tag:server"], "accept": ["root"]}]` could previously ship a policy whose own assertions were silently violated by the SSH rule list; the misconfiguration only surfaced when a user actually attempted SSH and got Permission denied. `headscale policy set` and `headscale policy check` now compile the same SSH rules clients receive, replay each `sshTests` entry through them, and reject the write when any `accept` user cannot reach a dst, any `deny` user can reach one, or any `check` user reaches a dst via a non-check rule. Parse-time shape rules forbid `dst` entries with a `:port` suffix (SSH port is implicit), `autogroup:internet` destinations, CIDR-shaped destinations, references to tags not in `tagOwners`, and entries with an empty `src` or `dst`. Stored policies whose `sshTests` fail at boot log a warning and the server continues, so a stale reference to a deleted user does not block restart. + ### Grants We now support [Tailscale grants](https://tailscale.com/docs/features/access-control/grants)