0

We are trialing Tailscale set-up for production server SSH connections. We are using Google Workspace as the identity provider for Tailscale.

Because production servers are more security critical than general data related to Google Workspaces, we'd like to ensure that any Tailscale session has a shorter session timeout and always be asked for two-factor authentication.

By default, Google Workspace asks two-factor authentication only once per browser, which is fine if you want to access Docs, email and such. It does not do additional two-factor authentication request after user has logged into the service in their browser.

  • Can Tailscale and Google Workspace identity provider configured so that for Tailscale application / integration (whatever is the correct language), Google prompts two-factor authentication code every 24h minimum?

  • Does Google Workspace support per-application security rules for login to make some applications more security critical?

  • We also found out that Tailscale SSH, unlike e.g Cloudflare Zero, does not seem to work with google-authenticator PAM module which could be a workaround. Please correct me if I am wrong here.

(While this topic may feel offtopic, Tailscale instructs their people to post configuration questions to Stackoverflow).

Mikko Ohtamaa
  • 82,057
  • 50
  • 264
  • 435
  • Seems a bit cheeky that a for profit company is directing you here! That said, wouldn't superuser be a better forum for this sort of question? – Sam Mason Aug 28 '23 at 22:48
  • 1
    I'd worry about how often I'd loose access to servers when all authentication has to go through both of those services. Why not just require public key authentication (and encourage private keys being stored in lightweight HSMs like YubiKey) with TOTP/2FA on top? – Sam Mason Aug 28 '23 at 22:56
  • 1
    Because of the auditability and user rights management, you want to use a service like Tailscale. – Mikko Ohtamaa Aug 29 '23 at 06:53

1 Answers1

0

A quick google search you can adjust the frequency of 2fa prompts in your Admin console.

https://support.google.com/a/answer/9176657?hl=en (Scroll down to frequency)

Workspace does not appear to support per-application rules, so I suppose you’ll just have to re-authenticate all the time. Tailscale seems to have an experimental PAM module here.

https://github.com/tailscale/pam

And because this uses your tailscale credentials you can use your Workspace account with it and setup authentication rules in your Admin console. However, this is a project that isn’t meant to be used in production settings yet. The page warns you about it being proof of concept, and how the security of the project is still unknown. Additionally, it’s in no way Google’s PAM module, and tailscale’s compatibility with that is completely unknown to me.

Akshat Deshpande
  • 1
  • 1