[exe.dev co-founder here] Hi. Re: oauth2, the last product I built, Tailscale, only did auth by oauth2. I chose this because 1. businesses need it anyway, and 2. passwords are terrible.
But it was a choice that does not come for free. I dread a page of buttons for third-party services, and the control I give them over my life. I hate that I never know if I should log in with GitHub, or Google, and for a dozen services I have multiple accounts because I got lost in the miasma of oauth2.
Still, it was better than passwords!
But since the last product I built, the world has changed. We have passkeys now. Which are superior in every way for individuals using a third-party service. You get better UX. You get better privacy. It is a fundamentally better technology.
I did not list SSO under teams because I want to "tax" people. I did it because SSO only makes sense for businesses, where an administrator controls accounts, and can delete yours when necessary. There, oauth2 is the best technology we have. But for individuals, it is a dead technology. I am reluctant to make everyone's exe.dev experience worse for legacy tech.
"We" don't have passkeys now. Many functional android devices are not being upgraded to the latest Android versions, and simply will never get true passkey support that isn't locked away inside of Google's vault.
Passwords are much better than the OAuth2 coolaid, and passwords will still be better as long as older devices can't support passkeys due to arbitrary restrictions.
Appreciate you not following Tailscale's authentication many SSO provider approach. It makes sense for teams/business, (Tailscale's customers) but creates some confusion and extra friction for casual homelab users like me. I have a note in 1Password for tailscale.com just titled "USE GITHUB AUTH".
Passkeys work great for me and I greatly prefer them. Exe.dev I think is the first service I've seen that's so passkey centric and it makes a lot of sense.
I don't see how Oauth2 is a legacy technology. It will never be until all of the problems of passkeys are solved. And I very much wouldn't just dismiss oauth2 as something only businesses have, because Oauth2 does have its uses where it can convey information a passkey cannot.
[exe.dev cofounder here] Thanks for the feedback! We do not support private registries yet but it is very much on our mind, it is one of the first things business customers ask for so we know we have to build it.
We are also exploring alternatives for pre-configuring your VM. (Because we make lots of VMs and feel this too, so it is very much on our mind.) One is a sub-second VM "clone" feature, so you can configure a base VM to use as an image.
[exe.dev cofounder here] Hi! Thanks for the feedback. I am deeply allergic to passwords and so I am trying to delay adding them. Did you try our passkey support?
[exe.dev co-founder here] This grew out of our work on sketch. We built a container-based system for it, and found ourselves saying "I wish we just had a computer." This is our answer to that.
If you are interested in our work and agents, I would suggest trying Shelley, the little agent we have in exe.dev. There has been some discussion about what to do with sketch on its discord channel, but we won't be putting energy into it going forward.
(A blog post with far more details is in the works.)
[exe.dev co-founder here] You can make it public! Our TLS proxy supports it, and supports CNAME rules (plus a top-level trick) to let you put a domain name on it. To make the HTTP server on port 8000 of your VM public run:
[exe.dev co-founder here] You are right, you cannot! It was quite a bit of work. We have a blog post in the works that should come out in a couple of weeks with all the details.
I was just sufficiently nerd sniped by this, so let me know if I’m close:
Based on what the commenter below found about sshpiper I believe that you use the ssh identity + the ip from the slot to resolve the vm target. sshpiper knows how to route the ssh identity + slot ip to the correct VM. I suspect you have a custom sshpiper plugin to do that routing.
You use the slot record indirection so you can change the ip of a slot without having to update everyone’s A records across the customer base. It also makes it easy to shuffle around vm-slot mappings within a customer. I haven’t tested, but I’m guessing this dns server is internal (coredns?), and the ips too.
I did something similar (ip + identity routing) for a project a few weeks ago. Yours is a lot more elegant with the dns indirection.
I’m no ssh expert, but in theory you should be able to ssh -J exe.dev myvm.exe.xyz for a one-liner? Or maybe you don't even need it, if that DNS server within the ssh exe.dev is the same as the public DNS. Pardon for not testing it yet!
[exe.dev co-founder here] Thank you! Not to give too many secrets away, but my hope is to follow a business model I have been part of before, and make it as cheap as possible for individuals so they encourage their employers to buy it for work. So I would very much love to get cheaper.
The two constraints are that, one, when small underlying resources are expensive (we hope to fix that soon by not being small!), and two, we do not want to make the resource allocation so small that the VM feels unpleasant to use. So there is a floor on how small we make them.
That said, I very very much want to drop prices. We started with conservative numbers.
[exe.dev co-founder here] Hi there, I am not sure exactly where you are, but your VM is ubuntu derived and definitely starts with apt and bash. Perhaps try `ssh yourvm.exe.xyz`?
While at tailscale you built sketch.dev only to actually build this product ? Love it. Ultimate yak shave.
Kind of how like Antithesis was the product inside foundationdb.
[exe.dev co-founder here] It is planned! The reason we have not got to it yet is it needs to be very different than IPv4 support. We have spent a lot of time on machinery to allow `ssh yourmachine.exe.xyz` work without having to allocate you an IPv4 address. The mechanisms for IPv6 can and should be different, but they will also interact with how assigning public static IPv4 addresses will work in the future.
We do not want to end up in the state AWS is in, where any production work requires navigating the differences between how AWS manage v4 and v6. And that means rolling out v6 is going to be a lot of work for us. It will get done.
But it was a choice that does not come for free. I dread a page of buttons for third-party services, and the control I give them over my life. I hate that I never know if I should log in with GitHub, or Google, and for a dozen services I have multiple accounts because I got lost in the miasma of oauth2.
Still, it was better than passwords!
But since the last product I built, the world has changed. We have passkeys now. Which are superior in every way for individuals using a third-party service. You get better UX. You get better privacy. It is a fundamentally better technology.
I did not list SSO under teams because I want to "tax" people. I did it because SSO only makes sense for businesses, where an administrator controls accounts, and can delete yours when necessary. There, oauth2 is the best technology we have. But for individuals, it is a dead technology. I am reluctant to make everyone's exe.dev experience worse for legacy tech.
reply