tailscale-ssh

Advertise/Disable SSH on the host

$ tailscale up --ssh=[true|false]

$ tailscale ssh [username]@[host]

tailscale-ssh [options] [user@]host [command]

-p port
    Specifies the port to connect to on the remote host, overriding the default SSH port (22).

-i identity_file
    Selects an identity file (private key) for public key authentication. While less common with tailscale-ssh's identity-based model, it can be used for specific setups.

-o option
    Passes OpenSSH client configuration options directly, such as "ProxyCommand=none" for specific network scenarios.

-v
    Increases verbosity, displaying debugging messages about the connection process.

-q
    Suppresses warning and diagnostic messages.

tailscale-ssh is a powerful command-line utility integral to the Tailscale ecosystem, enabling secure SSH connections to other devices within your Tailscale network. Unlike traditional SSH, which relies on managing individual SSH keys or passwords, tailscale-ssh leverages Tailscale's identity-based access control and centralizes authorization through Tailscale's ACLs (Access Control Lists).

This command simplifies infrastructure management significantly. Users are authenticated based on their Tailscale identity, and access permissions are enforced by your organization's Tailscale policy, eliminating the need for manual key distribution or complex SSH configurations on each host. It works by acting as a wrapper or proxy for the standard OpenSSH client, ensuring that all traffic is encrypted, authenticated, and routed securely over the Tailscale mesh. It's particularly valuable for environments with many machines where maintaining consistent, secure remote access without key sprawl is a priority.

For tailscale-ssh to function, both the client and the target machine must have the Tailscale daemon running and be connected to the same Tailnet. The target machine's SSH daemon (sshd) must be specifically configured to allow tailscale-ssh access, often by utilizing a AuthorizedKeysCommand directive in sshd_config to query Tailscale for authorized keys, or by enabling the Tailscale SSH feature on the node. Authorization is strictly governed by Tailscale ACLs.

To enable tailscale-ssh on a target Linux machine, you typically configure its SSH daemon (sshd). This often involves adding a "AuthorizedKeysCommand /usr/bin/tailscale ssh --authorized-keys %u" line to /etc/ssh/sshd_config, then restarting the sshd service. This command dynamically generates authorized keys based on Tailscale's identity system and your ACLs.

The security of tailscale-ssh is rooted in Tailscale's zero-trust networking model. It uses mutual TLS (mTLS) for node-to-node authentication, ensuring that only trusted devices can communicate. Authorization is then managed via fine-grained ACLs defined in your Tailscale admin console, allowing administrators to precisely control which users can SSH into which machines, effectively replacing complex SSH key distribution with a centralized, identity-aware access policy.

tailscale-ssh was introduced as a core feature of the Tailscale product, evolving from a simple mesh VPN into a comprehensive access platform. Its development focused on integrating identity-based access control directly into the SSH workflow, simplifying key management and centralizing authorization policies for remote access within Tailscale networks.

tailscale(8), ssh(1), sshd_config(5)