refactor: drop PAM auth and require password for funnel
This commit is contained in:
Peter Steinberger
@@ -281,7 +281,7 @@ Defaults:
|
||||
mode: "local", // or "remote"
|
||||
bind: "loopback",
|
||||
// controlUi: { enabled: true }
|
||||
// auth: { mode: "token" | "password" | "system" }
|
||||
// auth: { mode: "token" | "password" }
|
||||
// tailscale: { mode: "off" | "serve" | "funnel" }
|
||||
}
|
||||
}
|
||||
@@ -291,10 +291,9 @@ Notes:
|
||||
- `clawdis gateway` refuses to start unless `gateway.mode` is set to `local` (or you pass the override flag).
|
||||
|
||||
Auth and Tailscale:
|
||||
- `gateway.auth.mode` sets the handshake requirements (`token`, `password`, or `system`/PAM).
|
||||
- `gateway.auth.mode` sets the handshake requirements (`token` or `password`).
|
||||
- When `gateway.auth.mode` is set, only that method is accepted (plus optional Tailscale headers).
|
||||
- `gateway.auth.password` can be set here, or via `CLAWDIS_GATEWAY_PASSWORD` (recommended).
|
||||
- `gateway.auth.username` defaults to the current OS user; override with `CLAWDIS_GATEWAY_USERNAME`.
|
||||
- `gateway.auth.allowTailscale` controls whether Tailscale identity headers can satisfy auth.
|
||||
- `gateway.tailscale.mode: "serve"` uses Tailscale Serve (tailnet only, loopback bind).
|
||||
- `gateway.tailscale.mode: "funnel"` exposes the dashboard publicly; requires auth.
|
||||
|
||||
@@ -14,8 +14,8 @@ It speaks **directly to the Gateway WebSocket** on the same port.
|
||||
|
||||
Auth is supplied during the WebSocket handshake via:
|
||||
- `connect.params.auth.token`
|
||||
- `connect.params.auth.password` (optional `username` for system/PAM)
|
||||
The dashboard settings panel lets you store a token and optional username; passwords are not persisted.
|
||||
- `connect.params.auth.password`
|
||||
The dashboard settings panel lets you store a token; passwords are not persisted.
|
||||
|
||||
## What it can do (today)
|
||||
- Chat with the model via Gateway WS (`chat.history`, `chat.send`, `chat.abort`)
|
||||
|
||||
@@ -13,7 +13,7 @@ Tailscale provides HTTPS, routing, and (for Serve) identity headers.
|
||||
## Modes
|
||||
|
||||
- `serve`: Tailnet-only HTTPS via `tailscale serve`. The gateway stays on `127.0.0.1`.
|
||||
- `funnel`: Public HTTPS via `tailscale funnel`. Requires auth.
|
||||
- `funnel`: Public HTTPS via `tailscale funnel`. Requires a shared password.
|
||||
- `off`: Default (no Tailscale automation).
|
||||
|
||||
## Auth
|
||||
@@ -22,10 +22,9 @@ Set `gateway.auth.mode` to control the handshake:
|
||||
|
||||
- `token` (default when `CLAWDIS_GATEWAY_TOKEN` is set)
|
||||
- `password` (shared secret via `CLAWDIS_GATEWAY_PASSWORD` or config)
|
||||
- `system` (PAM, validates your OS password)
|
||||
|
||||
When `tailscale.mode = "serve"`, the gateway trusts Tailscale identity headers by
|
||||
default unless you force `gateway.auth.mode` to `password`/`system` or set
|
||||
default unless you force `gateway.auth.mode` to `password` or set
|
||||
`gateway.auth.allowTailscale: false`.
|
||||
|
||||
## Config examples
|
||||
@@ -43,20 +42,6 @@ default unless you force `gateway.auth.mode` to `password`/`system` or set
|
||||
|
||||
Open: `https://<magicdns>/ui/`
|
||||
|
||||
### Public internet (Funnel + system password)
|
||||
|
||||
```json5
|
||||
{
|
||||
gateway: {
|
||||
bind: "loopback",
|
||||
tailscale: { mode: "funnel" },
|
||||
auth: { mode: "system" }
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Open: `https://<magicdns>/ui/` (public)
|
||||
|
||||
### Public internet (Funnel + shared password)
|
||||
|
||||
```json5
|
||||
@@ -75,13 +60,12 @@ Prefer `CLAWDIS_GATEWAY_PASSWORD` over committing a password to disk.
|
||||
|
||||
```bash
|
||||
clawdis gateway --tailscale serve
|
||||
clawdis gateway --tailscale funnel --auth system
|
||||
clawdis gateway --tailscale funnel --auth password
|
||||
```
|
||||
|
||||
## Notes
|
||||
|
||||
- Tailscale Serve/Funnel requires the `tailscale` CLI to be installed and logged in.
|
||||
- System auth uses the optional `authenticate-pam` native module; install if missing.
|
||||
- `tailscale.mode: "funnel"` refuses to start without auth to avoid public exposure.
|
||||
- `tailscale.mode: "funnel"` refuses to start unless auth mode is `password` to avoid public exposure.
|
||||
- Set `gateway.tailscale.resetOnExit` if you want Clawdis to undo `tailscale serve`
|
||||
or `tailscale funnel` configuration on shutdown.
|
||||
|
||||
@@ -86,7 +86,7 @@ Open:
|
||||
gateway: {
|
||||
bind: "loopback",
|
||||
tailscale: { mode: "funnel" },
|
||||
auth: { mode: "system" } // or "password" with CLAWDIS_GATEWAY_PASSWORD
|
||||
auth: { mode: "password" } // or CLAWDIS_GATEWAY_PASSWORD
|
||||
}
|
||||
}
|
||||
```
|
||||
@@ -94,9 +94,9 @@ Open:
|
||||
## Security notes
|
||||
|
||||
- Binding the Gateway to a non-loopback address **requires** auth (`CLAWDIS_GATEWAY_TOKEN` or `gateway.auth`).
|
||||
- `gateway.auth.mode: "system"` uses PAM to verify your OS password.
|
||||
- The UI sends `connect.params.auth.token` or `connect.params.auth.password`.
|
||||
- Use `gateway.auth.allowTailscale: false` to require explicit credentials even in Serve mode.
|
||||
- `gateway.tailscale.mode: "funnel"` requires `gateway.auth.mode: "password"` (shared password).
|
||||
|
||||
## Building the UI
|
||||
|
||||
|
||||
Reference in New Issue
Block a user