Tailscale and configuring additional Google Workspace two-factor authentication for SSH connections

Question

We are trialing Tailscale set-up for production server SSH connections. We are using Google Workspace as the identity provider for Tailscale.

Because production servers are more security critical than general data related to Google Workspaces, we'd like to ensure that any Tailscale session has a shorter session timeout and always be asked for two-factor authentication.

By default, Google Workspace asks two-factor authentication only once per browser, which is fine if you want to access Docs, email and such. It does not do additional two-factor authentication request after user has logged into the service in their browser.

• Can Tailscale and Google Workspace identity provider configured so that for Tailscale application / integration (whatever is the correct language), Google prompts two-factor authentication code every 24h minimum?

• Does Google Workspace support per-application security rules for login to make some applications more security critical?

• We also found out that Tailscale SSH, unlike e.g Cloudflare Zero, does not seem to work with google-authenticator PAM module which could be a workaround. Please correct me if I am wrong here.

Answer 1

One way to solve this is to use Passkey authentication (currently in beta mode for Tailscale).

• Passkey authentication can be performed on your paired mobile phone when using Google Chrome or a hardware device on Firefox (Yubikey)

• The added bonus is that Passkey is more secure than password as it is tied to a security enclave of a specific device and is phishing proof

• Passkey also does not you to require to open additional accounts on identity providers (Google, Okta, Microsoft, Apple)

• Passkey authentication correctly respects any session timeout you can configure for it, e.g. to avoid issues with stolen devices

Here is an example how to configure timeout:

{
    "acls": [
        // Allow all connections.
        {"action": "accept", "src": ["*"], "dst": ["*:*"]},
    ],
    "groups": {
        "group:operator": [
            "foo@passkey",
            "bar@passkey",
        ],
    },
    "tagOwners": {
        "tag:prod": ["group:operator"],
    },
    "ssh": [
        // The default SSH policy, which lets users SSH into devices they own.
        // Learn more at https://tailscale.com/kb/1193/tailscale-ssh/
        {
            "action":      "check",
            "src":         ["group:operator"],
            "dst":         ["tag:prod"],
            "users":       ["autogroup:nonroot"],
            // Force reauth every 24h
            "checkPeriod": "24h",
        },
    ],

Answer 2

A quick google search you can adjust the frequency of 2fa prompts in your Admin console.

https://support.google.com/a/answer/9176657?hl=en (Scroll down to frequency)

Workspace does not appear to support per-application rules, so I suppose you’ll just have to re-authenticate all the time. Tailscale seems to have an experimental PAM module here.

https://github.com/tailscale/pam

And because this uses your tailscale credentials you can use your Workspace account with it and setup authentication rules in your Admin console. However, this is a project that isn’t meant to be used in production settings yet. The page warns you about it being proof of concept, and how the security of the project is still unknown. Additionally, it’s in no way Google’s PAM module, and tailscale’s compatibility with that is completely unknown to me.