If I understand Tailscale correctly a PAM module that knows which machine it is running on and the username logging in will allow them to decide on a per-machine level if the current client is allowed to go there (to this account), so it could bring their authentication game to a whole other level.
Not sure if they should do that (or if anyone should do that) but it's an interesting thing to think about. Even if it's just to hide away some of the pain that are the PAMs/LDAP Groups of this world.
If I understand Tailscale correctly a PAM module that knows which machine it is running on and the username logging in will allow them to decide on a per-machine level if the current client is allowed to go there (to this account), so it could bring their authentication game to a whole other level.
Not sure if they should do that (or if anyone should do that) but it's an interesting thing to think about. Even if it's just to hide away some of the pain that are the PAMs/LDAP Groups of this world.