I attempted this on a VM inside a Linux host and got a lower privileged user from inside the guest VM to ssh to a root-privileged user outside on the host.
Both were authenticated to Tailscale with the same gmail account, so from an OAuth perspective, this is valid.
From the OS perspective though, the host SSH port is blocked, and a guest should never get full root access to the host or see the host's resources.
I am not sure if I am confused about something, or maybe there are prod use-cases where the same IDP identity should have different roles/privileges depending on the machine, and Tailscale SSH breaks that?
I am not sure if I am confused about something, or maybe there are prod use-cases where the same IDP identity should have different roles/privileges depending on the machine, and Tailscale SSH breaks that?