Skip to content

feat: Implement Tailscale SSH for medtech-regulated remote access #2

Open
Open
feat: Implement Tailscale SSH for medtech-regulated remote access#2
Labels
featureNew feature or requestsecuritySecurity hardening and access control
@c-vigo

Description

@c-vigo
c-vigo
opened on Feb 13, 2026

Summary

Implement Tailscale SSH for identity-based, secure remote access to Ubuntu 22.04 host. This replaces traditional SSH key-based authentication with Tailscale's WireGuard-tunneled identity system, eliminating public SSH exposure.

Architecture

  • Tailscale daemon running on Ubuntu host (100.x.x.x)
  • Identity-based SSH (no shared keys)
  • UFW hardening: No public port 22
  • First-boot service to install and configure Tailscale on first boot

Security Compliance

  • HIPAA: Identity-based access with session audit logging
  • IEC 62443: Acts as zone/conduit boundary
  • FDA Pre-market: Reduces attack surface; secure by design
  • 21 CFR Part 11: Individual identity tracking, audit trail
  • CIS Benchmark: Hardens network access control

FIPS 140-2 Gap (CRITICAL)

Tailscale uses WireGuard (ChaCha20-Poly1305, Curve25519) which are not FIPS 140-2 validated. Compensating controls: Tailscale supplements (not replaces) FIPS-validated OS crypto. It is a network-access control, not a cryptographic boundary for ePHI at rest.

Implementation Phases

Phase 1: Manual Validation (on test hardware)

  • Install Tailscale
  • Authenticate via one-time auth key
  • Configure ACLs (admin only, no root)
  • Test SSH via Tailscale hostname
  • Disable public SSH
  • Verify configuration across reboot

Phase 2: Automate in os_config

  • Create config/security/tailscale-setup.sh (first-boot install + auth)
  • Create config/security/tailscale-firstboot.service (systemd oneshot)
  • Update autoinstall/user-data.base (late-commands for setup)
  • Update autoinstall/user-data.local.template (auth_key placeholder)
  • Update scripts/hooks/post-install.sh (configure_tailscale function)
  • Update UFW rules (allow tailscale0 interface, remove 22/tcp after first boot)
  • Update docs/SECURITY.md (FIPS gap, compensating controls)
  • Update docs/IMPLEMENTATION_PLAN.md (Phase 3 security hardening reference)

Phase 3: Deploy and Test

  • Build ISO with Tailscale config
  • Deploy on test machine
  • Verify Tailscale SSH works
  • Confirm public SSH blocked
  • Verify auth key deleted after use
  • Test session in Tailscale audit logs

Files Changed

File Action Purpose
config/security/tailscale-setup.sh New First-boot install script
config/security/tailscale-firstboot.service New Systemd oneshot unit
autoinstall/user-data.base Edit Add Tailscale config + late-commands
autoinstall/user-data.local.template Edit Add auth_key placeholder
scripts/hooks/post-install.sh Edit Add configure_tailscale function
docs/SECURITY.md Edit FIPS gap, Tailscale security docs
docs/IMPLEMENTATION_PLAN.md Edit Phase 3 reference

Key Design Decisions

  1. First-Boot Service: Tailscale not in Ubuntu repos and requires internet. Installed on first boot after network is up.
  2. Auth Key as Secret: One-time, pre-approved, tagged key. Follows same injection pattern as Ubuntu Pro token.
  3. Fallback: If Tailscale fails on first boot, public SSH remains open (fallback to manual recovery).
  4. ACL Enforcement: No root SSH. Admins only. Re-auth check for each session.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    featureNew feature or requestsecuritySecurity hardening and access control

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions