Fine grained ACL policies for SSH #1121

Open
opened 2025-11-20 05:24:24 -05:00 by saavagebueno · 3 comments
Owner

Originally created by @alexcupertme on GitHub (Aug 1, 2024).

Originally assigned to: @nazarewk on GitHub.

Is your feature request related to a problem? Please describe.
ACL policies for SSH. AFAIK, best way i can implement it now, to restrict Netbird SSH port (44338)

Describe the solution you'd like
Something like Tailscale has https://tailscale.com/kb/1193/tailscale-ssh

We need to configure which user group has SSH access to the hosts

When creating policies, we can choose protocol. SSH option would fit well here, even though it is a different OSI network level.

Describe alternatives you've considered

Additional context

Originally created by @alexcupertme on GitHub (Aug 1, 2024). Originally assigned to: @nazarewk on GitHub. **Is your feature request related to a problem? Please describe.** ACL policies for SSH. AFAIK, best way i can implement it now, to restrict Netbird SSH port (44338) **Describe the solution you'd like** Something like Tailscale has https://tailscale.com/kb/1193/tailscale-ssh We need to configure which user group has SSH access to the hosts When creating policies, we can choose protocol. SSH option would fit well here, even though it is a different OSI network level. **Describe alternatives you've considered** - **Additional context** -
saavagebueno added the feature-requestsecurityacl labels 2025-11-20 05:24:24 -05:00
Author
Owner

@jakob1379 commented on GitHub (Mar 11, 2025):

Just to chip in here.

This would also improve the current state where I can become any user on the remote, even the root user. This seems like a fairly big concern in terms of using netbird to manage ssh access.

@jakob1379 commented on GitHub (Mar 11, 2025): Just to chip in here. This would also improve the current state where I can become any user on the remote, even the root user. This seems like a fairly big concern in terms of using netbird to manage ssh access.
Author
Owner

@nazarewk commented on GitHub (Mar 11, 2025):

I have confirmed with the developer: it indeed works as designed, exactly the way you described.

You can take the following actions to mitigate:

  1. Not use SSH at all (it needs to be enabled on both the management and the client side at the same time),
  2. Run in a rootless container (yeah, probably not particularly useful)
  3. Run the daemon as an unprivileged user (I'll need to confirm it is indeed preventing logging in as root), you can find a hardened setup directions at the NixOS module I wrote (disclaimer: this is not an officially supported way of running Netbird)

I will get back to you with more information when I obtain it.

@nazarewk commented on GitHub (Mar 11, 2025): I have confirmed with the developer: it indeed works as designed, exactly the way you described. You can take the following actions to mitigate: 1. Not use SSH at all (it needs to be enabled on both the management and the client side at the same time), 2. Run in a rootless container (yeah, probably not particularly useful) 3. Run the daemon as an unprivileged user (I'll need to confirm it is indeed preventing logging in as root), you can find a hardened setup directions at [the NixOS module I wrote](https://github.com/NixOS/nixpkgs/blob/10069ef4cf863633f57238f179a0297de84bd8d3/nixos/modules/services/networking/netbird.nix#L547-L607) (disclaimer: this is not an officially supported way of running Netbird) I will get back to you with more information when I obtain it.
Author
Owner

@nazarewk commented on GitHub (Mar 11, 2025):

FYI: this issue will be addressed as a part of larger SSH optimization effort

@nazarewk commented on GitHub (Mar 11, 2025): FYI: this issue will be addressed as a part of larger SSH optimization effort
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1121