SSH from tailscale to tumbleweed

Hey guys, fresh tumbleweed installation, tailscale has been set up to accept ssh connections.
When i try to “tailscale ssh” into my machine, i get theese errors:

"user: /home/user: change directory failed. Permission denied. Logging in with home = “/”.

“bash: /home/user/.bash_profile permission denied”

Despite theese errors i do login to the remote machine, but i land at / .
If i try to cd to my home dir i get permission denied.

i link a thread with a user having the same problem, but never solved.

Continuing the discussion from Ssh into tumbleweed from tailscale:

Anyone having the same issue?

What do you do?

Post the complete commandline and output here.

Set verbository for ssh with -vvv

You seriously believe that anybody understands what it means?

So check permissions of your home dir.

Hey this is the verbose log.

OpenSSH_9.6p1, OpenSSL 3.1.4 24 Oct 2023
debug1: Reading configuration data /usr/etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-suse.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: /usr/etc/ssh/ssh_config line 31: include /usr/etc/ssh/ssh_config.d/*.conf matched no files
debug1: /usr/etc/ssh/ssh_config line 33: Applying options for *
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /usr/etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-suse.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: /usr/etc/ssh/ssh_config line 31: include /usr/etc/ssh/ssh_config.d/*.conf matched no files
debug1: /usr/etc/ssh/ssh_config line 33: Applying options for *
debug1: Executing proxy command: exec "/usr/bin/tailscale"  nc suseframework.burro-banana.ts.net. 22
debug1: identity file /home/pebbles/.ssh/id_rsa type -1
debug1: identity file /home/pebbles/.ssh/id_rsa-cert type -1
debug1: identity file /home/pebbles/.ssh/id_ecdsa type -1
debug1: identity file /home/pebbles/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/pebbles/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/pebbles/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/pebbles/.ssh/id_ed25519 type -1
debug1: identity file /home/pebbles/.ssh/id_ed25519-cert type -1
debug1: identity file /home/pebbles/.ssh/id_ed25519_sk type -1
debug1: identity file /home/pebbles/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/pebbles/.ssh/id_xmss type -1
debug1: identity file /home/pebbles/.ssh/id_xmss-cert type -1
debug1: identity file /home/pebbles/.ssh/id_dsa type -1
debug1: identity file /home/pebbles/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6
debug1: Remote protocol version 2.0, remote software version Tailscale
debug1: compat_banner: no match: Tailscale
debug1: Authenticating to suseframework.burro-banana.ts.net.:22 as 'bamje'
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:/73Y0ACKy+Q++ZU3Ko0/a3cNvHxnon3K6emXBVKFGVw
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'suseframework.burro-banana.ts.net.' is known and matches the ED25519 host key.
debug1: Found key in /home/pebbles/.config/tailscale/ssh_known_hosts:3
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss>
debug1: kex_ext_info_check_ver: ping@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
Authenticated to suseframework.burro-banana.ts.net. (via proxy) using "none".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Entering interactive session.
debug1: pledge: proc
debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_US.utf8"
debug1: pledge: fork
Last login: Mon Jul  8 09:47:55 CEST 2024 from 100.125.52.93 on pts/1
bamje: /home/bamje: change directory failed: Permission denied
Logging in with home = "/".
-bash: /home/bamje/.bash_profile: Permission denied
bamje@suseframework:/>

I don’t assume anything, i checked my home dire permissions, i do have about 12 machines, different linux distros, none gave me this type of behaviour so i thought i could have been a suse thing, asking if others have observed this.

You assume that people understand what “tailscale” is. I do not.

Tailscale it’s a zeroconfig vpn service, it allows you to connect your devices, containers too actually, to the same “flat” network, so they can reach each other even if they are located in different clouds, regions, private datacenters and so on.
You then can set rules on what can reach what.
Tailscale is based on wireguard, and it’s pretty cool

Apparently not “cool” enough to assume that people here understand by magic what it is and how you use it.

First thing I would do when I get a complaint about “permissions denied” is checking the permissions. Until now I see nothing of the kind.

ls -l /home/bamje

So, apparently you are not talking to the OpenSSH server, but to some alternative implementation of SSH. In this case you should enable debugging in this application and check what happens. You could start with explaining what this alternative SSH implementation is.

If pledge here really means what I think it means - it is yet another way to restrict
process privileges. Which can well interfere with anything including permissions.

What happens if you use normal OpenSSH server?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.