Tailscale SSH

Tailscale SSH manages the authentication and authorization of SSH connections within a Tailscale network (tailnet). It's available for Personal, Premium, and Enterprise plans.

Key Features

Authentication via Tailscale

Tailscale handles authentication for SSH connections, using Tailscale's node keys over the WireGuard protocol. This setup ensures an additional layer of encryption alongside standard SSH connection encryption.

High-Risk Connection Verification

Tailscale SSH offers a 'check mode' for additional security, requiring re-authentication for high-risk connections or sensitive user accounts like root. This re-authentication is valid for 12 hours or another specified period.

Compatibility

Tailscale SSH doesn't alter /etc/ssh/sshd_config or ~/.ssh/authorized_keys, ensuring that non-Tailscale SSH connections remain unaffected.

Operational Mechanism:

• Port Claiming: Tailscale claims port 22 for incoming SSH traffic from the tailnet, redirecting it to a Tailscale-managed SSH server.

• Encryption and Security: The connection is encrypted using both SSH and WireGuard protocols, with authentication handled via Tailscale’s node keys.

• Key Management: Tailscale manages the distribution of public SSH host keys and node keys, simplifying key management and enhancing security.

• User and Device Authorization: Access is controlled through Access Control Lists (ACLs), which specify which devices and users can initiate SSH connections.

• User Revocation: Removing a user's ability to SSH can be quickly managed by updating the ACLs, without the need to manually purge SSH keys.

Setup Requirements:

• Supported Systems: Linux and macOS (open-source Tailscale and tailscaled CLI devices).

• Installation Command: tailscale up --ssh enables Tailscale to handle SSH connections.

• ACL Configuration: Ensure ACLs permit SSH connections, typically requiring admin rights to modify.

Operational Details:

• ACLs for SSH: Define which users and devices can connect, including specifics about requiring re-authentication for certain connections.

• Transition and Management: Existing SSH setups are compatible, with Tailscale taking over only the connections from the tailnet. Key rotation and user revocation are streamlined through Tailscale’s management interface.

Limitations and Considerations:

• Device Limitations: Primarily supports Linux and macOS devices within the tailnet. Devices behind subnet routers or non-Tailscale devices cannot use Tailscale SSH.

• Port Limitations: Tailscale SSH uses the default SSH port (22) and doesn’t currently support custom port configurations.

Conclusion: Tailscale SSH enhances traditional SSH practices by integrating with Tailscale’s secure network architecture, simplifying key management, and providing robust access controls through ACLs. It's ideal for environments where security and ease of management are priorities but may need customization for environments with different user access levels or non-standard SSH configurations.