diff options
| author | Will Hannah <willh@tailscale.com> | 2026-02-06 09:40:55 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-02-06 09:40:55 -0500 |
| commit | 058cc3f82bfcaa8d5b49d00d5e9c46fdcd289bbd (patch) | |
| tree | 8830b0e8c3533f889aca1f3f64500b530fac61f6 | |
| parent | 6587cafb3fa3c59b81c92e566f851b2efd65524b (diff) | |
| download | tailscale-058cc3f82bfcaa8d5b49d00d5e9c46fdcd289bbd.tar.xz tailscale-058cc3f82bfcaa8d5b49d00d5e9c46fdcd289bbd.zip | |
ipn/ipnlocal: skip AuthKey use if profiles exist (#18619)
If any profiles exist and an Authkey is provided via syspolicy, the
AuthKey is ignored on backend start, preventing re-auth attempts. This
is useful for one-time device provisioning scenarios, skipping authKey
use after initial setup when the authKey may no longer be valid.
updates #18618
Signed-off-by: Will Hannah <willh@tailscale.com>
| -rw-r--r-- | ipn/ipnlocal/local.go | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go index 300f7a4c3..821f79abf 100644 --- a/ipn/ipnlocal/local.go +++ b/ipn/ipnlocal/local.go @@ -2478,7 +2478,9 @@ func (b *LocalBackend) startLocked(opts ipn.Options) error { if b.state != ipn.Running && b.conf == nil && opts.AuthKey == "" { sysak, _ := b.polc.GetString(pkey.AuthKey, "") - if sysak != "" { + if sysak != "" && len(b.pm.Profiles()) > 0 && b.state != ipn.NeedsLogin { + logf("not setting opts.AuthKey from syspolicy; login profiles exist, state=%v", b.state) + } else if sysak != "" { logf("setting opts.AuthKey by syspolicy, len=%v", len(sysak)) opts.AuthKey = strings.TrimSpace(sysak) } |