Tailscale SSH
Tailscale SSH manages SSH authentication on a tailnet, encrypts connections, supports re-authentication for high-risk connections, maintains existing configurations, and uses ACLs for user and device access control.
Read original article
Tailscale SSH is a feature that enables Tailscale to manage SSH authentication and authorization on a user's tailnet. Available for Personal, Premium, and Enterprise plans, it allows users to SSH normally while Tailscale handles the authentication process. Tailscale takes over port 22 for SSH connections from the Tailscale network, encrypting the connection using WireGuard and node keys. Users can verify high-risk connections through a check mode that requires re-authentication for certain users or connections. Tailscale SSH does not modify existing SSH configurations, allowing traditional SSH connections to continue functioning. The system simplifies key management and user revocation by using Access Control Lists (ACLs) to determine which devices and users can connect via SSH. Tailscale SSH also supports SFTP and SCP for file transfers. To enable Tailscale SSH, users must advertise it on the destination device and ensure appropriate ACLs are in place. The setup requires Tailscale v1.24 or later and is compatible with Linux and macOS. Overall, Tailscale SSH enhances security and simplifies the management of SSH connections within a network.
- Tailscale SSH manages SSH authentication and authorization on a tailnet.
- It encrypts connections using WireGuard and node keys, taking over port 22.
- Users can require re-authentication for high-risk connections through check mode.
- Existing SSH configurations remain unchanged, allowing traditional connections.
- Access Control Lists (ACLs) determine which users and devices can connect via SSH.
Related
SSH has become our universal (Unix) external access protocol
SSH is widely used at a university for remote access. Organizations prefer a single VPN for security in low external access environments. WireGuard is suggested for personal use due to its security advantages over SSH.
Why aren't we using SSH for everything? (2015)
SSH, known for secure server access, can extend to chat rooms, APIs, and file serving. Despite lacking HTTP/2 features, its encryption and authentication benefits raise questions on underutilization.
How to Use Tailscale VPN to Embrace Remote Work and Explore the World
The rise of remote work has led to increased interest in digital nomadism, with Tailscale recommended for secure, flexible internet access through a self-hosted VPN, enhancing privacy while traveling.
Wush: Simplest and fastest way to transfer files between computers via WireGuard
Wush is a command line tool for secure file transfers and shell access using WireGuard, eliminating the need for relay servers, enhancing security, and supporting various tasks like SSH and file transfers.
Coding on iPad using self-hosted VSCode, Caddy, and code-server
This guide explains setting up coding on an iPad using VSCode, code-server, and Tailscale for secure access, requiring an Ubuntu server and configuration adjustments for security and functionality.
5 commentsI am often away from my home network and my main gaming machine is asleep. I worked around this by installing tailscale + tailscale ssh on my router (yes you can to this!) and using it to send a wake-on-lan packet to my gaming machine.
Some useful fzf code for anyone that wants to get a listing of tailssh machines.
tailscale status --json | jq -r '
.Peer[] |
select(.Tags?[]? | contains("tag:dev")) |
"\(.DNSName)"' |
sed 's/\.$//' |
fzf --ansi --border-label="| Tailscale SSH Hosts |" --height=30% -- border=rounded \
--margin=2,2,2,2 --prompt "Connect to: " --preview-window=top:40% \
--bind "j:down,k:up,ctrl-j:preview-down,ctrl-k:preview-up,ctrl-f:preview-page-down,ctrl-b:preview-page-up"> Your SSH config (/etc/ssh/sshd_config) and keys (~/.ssh/authorized_keys) files will not be modified, which means that other SSH connections to the same host, not made over Tailscale, will still work.
Am I misunderstanding what's meant by "taking over" port 22, and it can also still be used by sshd for connections outside of Tailscale, or is the claim that other ssh connections will still work predicated on using a non-default port? If the latter, I'm surprised they don't pick another port instead to use for ssh coming from within Tailscale's network since it seems like they should able to control the port the client-side connects to as well, and then it wouldn't interfere with existing ssh. It would be strange to tout not interfering with existing ssh access if they left probably the biggest way to avoid interference untouched.
There are other implementations, such as AWS's Session Manager and Teleport, that implement SSH and allow authentication using IAM and Teleport.
The added features, like SSH session recordings, are great to have.
Related
SSH has become our universal (Unix) external access protocol
SSH is widely used at a university for remote access. Organizations prefer a single VPN for security in low external access environments. WireGuard is suggested for personal use due to its security advantages over SSH.
Why aren't we using SSH for everything? (2015)
SSH, known for secure server access, can extend to chat rooms, APIs, and file serving. Despite lacking HTTP/2 features, its encryption and authentication benefits raise questions on underutilization.
How to Use Tailscale VPN to Embrace Remote Work and Explore the World
The rise of remote work has led to increased interest in digital nomadism, with Tailscale recommended for secure, flexible internet access through a self-hosted VPN, enhancing privacy while traveling.
Wush: Simplest and fastest way to transfer files between computers via WireGuard
Wush is a command line tool for secure file transfers and shell access using WireGuard, eliminating the need for relay servers, enhancing security, and supporting various tasks like SSH and file transfers.
Coding on iPad using self-hosted VSCode, Caddy, and code-server
This guide explains setting up coding on an iPad using VSCode, code-server, and Tailscale for secure access, requiring an Ubuntu server and configuration adjustments for security and functionality.