tailscale/cmd/tl-longchain/tl-longchain.go
Anton Tolchanov 151b77f9d6 cmd/tl-longchain: tool to re-sign nodes with long rotation signatures
In Tailnet Lock, there is an implicit limit on the number of rotation
signatures that can be chained before the signature becomes too long.

This program helps tailnet admins to identify nodes that have signatures
with long chains and prints commands to re-sign those node keys with a
fresh direct signature. It's a temporary mitigation measure, and we will
remove this tool as we design and implement a long-term approach for
rotation signatures.

Example output:

```
2024/08/20 18:25:03 Self: does not need re-signing
2024/08/20 18:25:03 Visible peers with valid signatures:
2024/08/20 18:25:03 Peer xxx2.yy.ts.net. (100.77.192.34) nodeid=nyDmhiZiGA11KTM59, current signature kind=direct: does not need re-signing
2024/08/20 18:25:03 Peer xxx3.yy.ts.net. (100.84.248.22) nodeid=ndQ64mDnaB11KTM59, current signature kind=direct: does not need re-signing
2024/08/20 18:25:03 Peer xxx4.yy.ts.net. (100.85.253.53) nodeid=nmZfVygzkB21KTM59, current signature kind=rotation: chain length 4, printing command to re-sign
tailscale lock sign nodekey:530bddbfbe69e91fe15758a1d6ead5337aa6307e55ac92dafad3794f8b3fc661 tlpub:4bf07597336703395f2149dce88e7c50dd8694ab5bbde3d7c2a1c7b3e231a3c2
```

To support this, the NetworkLockStatus localapi response now includes
information about signatures of all peers rather than just the invalid
ones. This is not displayed by default in `tailscale lock status`, but
will be surfaced in `tailscale lock status --json`.

Updates #13185

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2024-08-21 18:22:22 +01:00

94 lines
3.0 KiB
Go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
// Program tl-longchain prints commands to re-sign Tailscale nodes that have
// long rotation signature chains.
//
// There is an implicit limit on the number of rotation signatures that can
// be chained before the signature becomes too long. This program helps
// tailnet admins to identify nodes that have signatures with long chains and
// prints commands to re-sign those node keys with a fresh direct signature.
// Commands are printed to stdout, while log messages are printed to stderr.
//
// Note that the Tailscale client this command is executed on must have
// ACL visibility to all other nodes to be able to see their signatures.
// https://tailscale.com/kb/1087/device-visibility
package main
import (
"context"
"flag"
"fmt"
"log"
"time"
"tailscale.com/client/tailscale"
"tailscale.com/ipn/ipnstate"
"tailscale.com/tka"
"tailscale.com/types/key"
)
var (
flagSocket = flag.String("socket", "", "custom path to tailscaled socket")
maxRotations = flag.Int("rotations", 10, "number of rotation signatures before re-signing (max 16)")
showFiltered = flag.Bool("show-filtered", false, "include nodes with invalid signatures")
)
func main() {
flag.Parse()
lc := tailscale.LocalClient{Socket: *flagSocket}
if lc.Socket != "" {
lc.UseSocketOnly = true
}
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
st, err := lc.NetworkLockStatus(ctx)
if err != nil {
log.Fatalf("could not get Tailnet Lock status: %v", err)
}
if !st.Enabled {
log.Print("Tailnet Lock is not enabled")
return
}
print("Self", *st.NodeKey, *st.NodeKeySignature)
if len(st.VisiblePeers) > 0 {
log.Print("Visible peers with valid signatures:")
for _, peer := range st.VisiblePeers {
print(peerInfo(peer), peer.NodeKey, peer.NodeKeySignature)
}
}
if *showFiltered && len(st.FilteredPeers) > 0 {
log.Print("Visible peers with invalid signatures:")
for _, peer := range st.FilteredPeers {
print(peerInfo(peer), peer.NodeKey, peer.NodeKeySignature)
}
}
}
// peerInfo returns a string with information about a peer.
func peerInfo(peer *ipnstate.TKAPeer) string {
return fmt.Sprintf("Peer %s (%s) nodeid=%s, current signature kind=%v", peer.Name, peer.TailscaleIPs[0], peer.StableID, peer.NodeKeySignature.SigKind)
}
// print prints a message about a node key signature and a re-signing command if needed.
func print(info string, nodeKey key.NodePublic, sig tka.NodeKeySignature) {
if l := chainLength(sig); l > *maxRotations {
log.Printf("%s: chain length %d, printing command to re-sign", info, l)
wrapping, _ := sig.UnverifiedWrappingPublic()
fmt.Printf("tailscale lock sign %s %s\n", nodeKey, key.NLPublicFromEd25519Unsafe(wrapping).CLIString())
} else {
log.Printf("%s: does not need re-signing", info)
}
}
// chainLength returns the length of the rotation signature chain.
func chainLength(sig tka.NodeKeySignature) int {
if sig.SigKind != tka.SigRotation {
return 1
}
return 1 + chainLength(*sig.Nested)
}