{"slug":"protect-your-ssh-servers-using-tailscale","title":"Protect your SSH servers using Tailscale","tags":["tailscale"],"agent_summary":"Last validated: Jan 12, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Protect your SSH servers using Tailscale\r\n\r\nLast validated: Jan 12, 2026\r\n\r\n## [What is Secure Shell (SSH)?](https://tailscale.com/docs/reference/ssh-over-tailscale\\#what-is-secure-shell-ssh)\r\n\r\nThe secure shell protocol, or SSH, has been around now for over 25 years. It was designed to securely connect to a\r\nserver for remote access, directly running commands, or file transfers (using the `scp` or `sftp` applications). SSH is a\r\nreplacement for `telnet`, `rlogin`, `rcp`, `rsh` and `ftp`, which were used to perform similar tasks. Those protocols\r\nare rarely used today even though some of them eventually added extensions for encryption. There are several open source\r\nSSH clients available today for virtually every operating system.\r\n\r\nToday, it's well known that unprotected data transfers over the public internet or open Wi-Fi networks are dangerous;\r\ntransmissions can be intercepted or modified. The SSH protocol is a useful tool for addressing this problem by creating\r\na secure remote access connection using encryption, but comes with some caveats.\r\n\r\n### [Why use SSH?](https://tailscale.com/docs/reference/ssh-over-tailscale\\#why-use-ssh)\r\n\r\nIf you need to remotely access a server or transfer files, SSH encrypts what you need to send over a public network.\r\nIt's based on a rigorously tested protocol, while being easy to use and highly configurable.\r\n\r\n### [What can SSH do?](https://tailscale.com/docs/reference/ssh-over-tailscale\\#what-can-ssh-do)\r\n\r\nAn SSH client is a local application that is used to connect to a remote computer, typically for secure logins as well\r\nas secure file transfers. This functionality is provided by the secure shell protocol, which is a cryptographic network\r\nprotocol.\r\n\r\nSSH also has VPN-like capabilities built into it: SSH supports port forwarding (the client can ask the remote SSH server\r\nto forward an outgoing connection), reverse port forwarding (the client can request that the remote SSH server forward\r\nan incoming connection), dynamic port forwarding (the client creates port forwarding connections on-demand using the\r\nSOCKS protocol) and tunnel device forwarding (the client and server can relay packets to each other, which when combined\r\nwith additional configuration can act as a VPN).\r\n\r\nSSH has some less frequently used features that are sometimes disabled as they can be security concerns: it can forward\r\nX11 connections (showing remote graphical applications on your client machine) and forward its authentication agent\r\n(which permits connecting to other SSH servers using the saved credentials from your client machine).\r\n\r\nAll the SSH features can be used simultaneously, enabling the use of multiple sessions over one connection. If a new\r\nsession is desired (and the SSH client supports that feature), then it can attach to an existing connection without\r\nneeding to re-authenticate, which can be very convenient.\r\n\r\n## [How can I use SSH clients securely?](https://tailscale.com/docs/reference/ssh-over-tailscale\\#how-can-i-use-ssh-clients-securely)\r\n\r\nTo use SSH securely, users first need to verify the host key of the server they're trying to reach. If the host key is\r\nnot checked, there is no proof that the user is connecting to the server that they expected. The SSH server then needs\r\nto verify either the user's password or authentication key. If the SSH server only accepts connections from a private\r\nnetwork (either because the server is behind a NAT router or to improve security), the user also needs to connect\r\nthrough another server connected to both the public internet and the private network, usually known as an SSH bastion but\r\nsometimes called an SSH jump host, or SSH jump box.\r\n\r\nUsed alone, following SSH best practices can be difficult: host keys are often left unchecked, user keys and passwords\r\nare rarely rotated, and connecting through an SSH bastion can be inconvenient. Tailscale can help mitigate the first two\r\nissues and avoid the last issue entirely.\r\n\r\n## [How can I run SSH servers securely?](https://tailscale.com/docs/reference/ssh-over-tailscale\\#how-can-i-run-ssh-servers-securely)\r\n\r\nAlthough you can permit SSH connections from the public internet, any public SSH server will be subject to automated and\r\npossibly targeted attacks. The automated login attempts often begin within minutes: there are many compromised servers\r\nthat are constantly scanning the public internet for SSH servers with easily guessed usernames and passwords. The\r\ngreatest risk comes from weak passwords, which is why the modern best practice is to disable passwords entirely.\r\n\r\nThere is also a smaller risk of compromise through bugs in the SSH server software. Known bugs in older versions of SSH\r\nserver software may allow unauthorized access, and there is always the risk of new bugs being discovered in up-to-date\r\nsoftware. An administrator must ensure that the server is kept up-to-date.\r\n\r\nWhile authentication keys are a stronger alternative to passwords, SSH doesn't force users to ever rotate\r\nkeys. [In practice, almost no one does](https://tailscale.com/blog/rotate-ssh-keys). Worse, SSH authentication private keys are often stored as normal\r\nfiles, making them easy to copy. This puts many SSH servers at risk, as the possibility of an authentication key being\r\nstolen increases over time as the server accumulates infrequently or never rotated authentication keys.\r\n\r\nAuthentication keys stored on a hardware token (such as those sold by Yubikey, Touch ID, smart cards, and other FIDO2\r\ntokens) cannot be copied, which significantly reduces the risk of the authentication key being stolen: the token must be\r\nphysically taken (making purely remote attacks difficult or impossible). Hardware tokens are an excellent choice when\r\navailable, but it can be expensive to supply them to all employees and provisioning them is extra administrative\r\noverhead: each token generates its own authentication key and the tokens themselves can be misplaced, lost or stolen.\r\nThe price of these tokens has dropped over time but their use is still unfortunately not ubiquitous.\r\n\r\nSome SSH servers can authenticate sessions using certificates from a trusted private certificate authority. Certificates\r\ncombine normal authentication keys with a signature from the certificate authority and an expiration time. The main\r\ndifference from normal authentication keys is that the server only needs to store the certificate authority's public key\r\nand trusts that users' authentication keys are acceptable if the certificate authority has issued a certificate. This\r\nsolves the biggest usability issue of key rotation: updating the servers is no longer required. Additional security\r\ncomes from automatically enforced key rotation because the certificates expire. A certificate authority can also sign\r\nSSH host keys, which addresses the problem of verifying the host key when a user connects, as long as the SSH client\r\ntrusts the certificate authority.\r\n\r\nSetting up the certificate authority infrastructure required to grant, revoke and manage certificates is quite complex\r\nand the certificate authority's private key must be very well protected. Today, certificates for SSH are not commonly\r\nused outside of large enterprises.\r\n\r\nAn SSH bastion (sometimes called an SSH jump host or SSH jump box) is used by some organizations or users as a gateway to\r\na protected internal network. Users must connect to this bastion first before they can access the protected servers. The\r\nbastion typically has extra monitoring in place to detect intrusions. Unfortunately, bastions are often inconvenient,\r\nhigh-latency and cannot get at the root of the key rotation problem without additional administrative controls.\r\n\r\n## [Advantages of using SSH with Tailscale](https://tailscale.com/docs/reference/ssh-over-tailscale\\#advantages-of-using-ssh-with-tailscale)\r\n\r\nTailscale works well with SSH clients and SSH servers, improving security and offering a better user experience.\r\n\r\n### [Tailscale replaces the SSH bastion, reducing latency and avoiding bottlenecks](https://tailscale.com/docs/reference/ssh-over-tailscale\\#tailscale-replaces-the-ssh-bastion-reducing-latency-and-avoiding-bottlenecks)\r\n\r\nIf you have a global footprint, your traffic might have to traverse a long distance to pass through the bastion before\r\nreaching the SSH server, adding significant latency and sometimes limiting throughput as well. Alternatively, you can\r\noperate multiple bastions, which adds complexity.\r\n\r\nTailscale removes the need for a bastion entirely by keeping SSH servers on a private mesh network that has\r\npeer-to-peer connections and end-to-end encryption. Not only is SSH more secure this way, it's also typically faster\r\nthan using a bastion.\r\n\r\n### [Automatic key rotation for the private network](https://tailscale.com/docs/reference/ssh-over-tailscale\\#automatic-key-rotation-for-the-private-network)\r\n\r\nWhile Tailscale does not manage your SSH authentication keys, it does manage access to the private network that permits\r\naccess to the SSH servers. The Tailscale client [rotates its keys](https://tailscale.com/blog/tailscale-key-management) according to a\r\nconfigurable time interval.\r\n\r\nIf a client device is lost or stolen, the device can be immediately deleted from the admin console. If not deleted from\r\nthe admin console, then when the device's key expires, it can no longer access the Tailscale network. In either case, the\r\ndevice loses access until an authorized user successfully logs back into the Tailscale client. Multifactor\r\nauthentication is required during login if enabled in your SSO configuration, providing additional security.\r\n\r\n### [Verify connections and users](https://tailscale.com/docs/reference/ssh-over-tailscale\\#verify-connections-and-users)\r\n\r\nNormally upon first connection to an SSH server you are shown the SSH host key and you are expected to verify that the\r\nkey is correct (most SSH clients save the host key after the first connection). If the key is not correct, that is an\r\nindication that your connection was intercepted by some other server.\r\n\r\nTailscale's server distributes public Tailscale key information to all the Tailscale clients and ensures that if you\r\nsuccessfully connect to a Tailscale IP address, you are connected to the correct device, not an imposter. Therefore\r\nalthough it is still best practice to verify the SSH host key, you can be assured that the connection is not being\r\nintercepted.\r\n\r\nTailscale also helps the SSH server verify the identity of the user connecting to it. When a Tailscale IP address\r\nappears in the server's logs, an administrator can later look up which user that IP address belongs to. For maximum\r\nsecurity, the SSH server can be configured to restrict which IP addresses a username can connect from. Since the\r\nTailscale IP address of a user's device remains fixed unless it is deleted from the Tailscale network, this can be used\r\nas additional proof of the user's identity.\r\n\r\n### [Only authorized users can connect to the SSH server](https://tailscale.com/docs/reference/ssh-over-tailscale\\#only-authorized-users-can-connect-to-the-ssh-server)\r\n\r\nNormally when using SSH, anyone on a public or private network can try to connect to the SSH server. Using SSH with\r\nTailscale, only people who are part of your network and authorized by your network's access control policies can connect to the SSH server.\r\nBy [removing SSH access from the public internet](https://tailscale.com/docs/how-to/secure-ubuntu-server-with-ufw), the risk posed by automated scanning attacks (or\r\nrandom users trying to connect to your SSH server) is eliminated because there is nothing for them to connect to.\r\n\r\n[Tailscale access control policies](https://tailscale.com/docs/features/access-control) ensure that only authorized users have access to connect to the SSH server. By explicitly stating\r\nwhich users are allowed to access the SSH server, it is significantly more difficult to be compromised by a stolen\r\nauthentication key or weak password (however this is not a substitute for managing authentication keys and passwords).\r\n\r\n### [Smoothly switch between networks](https://tailscale.com/docs/reference/ssh-over-tailscale\\#smoothly-switch-between-networks)\r\n\r\nThe Tailscale client is able to detect network changes and can switch which network connection it uses to reach other\r\nTailscale clients without affecting the applications using the Tailscale network. In other words, if you switch between\r\nEthernet and Wi-Fi, between Wi-Fi networks, or between Wi-Fi and a cellular network, then if your SSH client is\r\nconnected through Tailscale, it may pause briefly but will stay connected (assuming that the network switch occurs\r\nreasonably quickly).\r\n\r\n## [Tailscale SSH](https://tailscale.com/docs/reference/ssh-over-tailscale\\#tailscale-ssh)\r\n\r\n[Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh) lets Tailscale manage the authentication and authorization of SSH connections in\r\nyour tailnet.\r\n\r\nWith Tailscale SSH, you can:\r\n\r\n- **SSH as normal**, using Tailscale for authentication. With Tailscale SSH, Tailscale takes over port 22 for SSH connections incoming from the Tailscale network. Tailscale will authenticate and encrypt the connection over WireGuard, using Tailscale node keys. The SSH client and server will still create an encrypted SSH connection, but it will not be further authenticated.\r\n- **Verify high-risk connections with [check mode](https://tailscale.com/docs/features/tailscale-ssh#configure-tailscale-ssh-with-check-mode)**. Optionally require certain connections, or connections as certain users (for example, `root`), to re-authenticate before connecting. This lets the user access these high-risk applications for the next 12 hours or for a specified check period before re-authenticating again.\r\n\r\nIf you want to use Tailscale SSH for your SSH needs, follow the instructions at [Configure Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh#configure-tailscale-ssh). Otherwise, continue to the\r\nnext section.\r\n\r\n## [Getting started with SSH over Tailscale](https://tailscale.com/docs/reference/ssh-over-tailscale\\#getting-started-with-ssh-over-tailscale)\r\n\r\nThese steps are an alternative to using [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh).\r\n\r\nTo get started:\r\n\r\n### [Step 1: Install and activate Tailscale on the SSH server](https://tailscale.com/docs/reference/ssh-over-tailscale\\#step-1-install-and-activate-tailscale-on-the-ssh-server)\r\n\r\nTailscale is available for essentially any modern Linux distribution, though the installation instructions may vary slightly.\r\n\r\n[Download Tailscale for Linux](https://tailscale.com/download/linux)\r\n\r\nFor more sophisticated [access controls](https://tailscale.com/docs/features/access-control), consider using [ACLs](https://tailscale.com/docs/features/access-control/acls) or [grants](https://tailscale.com/docs/features/access-control/grants). If desired,\r\nconfigure the SSH server with an [tag](https://tailscale.com/docs/features/tags).\r\n\r\n### [Step 2: Install and activate Tailscale on the client machine](https://tailscale.com/docs/reference/ssh-over-tailscale\\#step-2-install-and-activate-tailscale-on-the-client-machine)\r\n\r\n[Download Tailscale](https://tailscale.com/download)\r\n\r\n### [Step 3: Connect to the SSH server using Tailscale](https://tailscale.com/docs/reference/ssh-over-tailscale\\#step-3-connect-to-the-ssh-server-using-tailscale)\r\n\r\nOn the SSH server, look up its Tailscale IP using `tailscale ip`. Assuming that your account name is `username` and the\r\nIP address is `100.100.123.123`:\r\n\r\n```shell\r\nssh username@100.100.123.123\r\n```\r\n\r\nIf [MagicDNS](https://tailscale.com/docs/features/magicdns) is enabled on your Tailscale network, simply connect to the SSH\r\nserver's hostname. For example, for a server named `myserver`: `ssh username@myserver`\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Protect your SSH servers using Tailscale</h1>\n<p>Last validated: Jan 12, 2026</p>\n<h2><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#what-is-secure-shell-ssh\">What is Secure Shell (SSH)?</a></h2>\n<p>The secure shell protocol, or SSH, has been around now for over 25 years. It was designed to securely connect to a\r\nserver for remote access, directly running commands, or file transfers (using the <code>scp</code> or <code>sftp</code> applications). SSH is a\r\nreplacement for <code>telnet</code>, <code>rlogin</code>, <code>rcp</code>, <code>rsh</code> and <code>ftp</code>, which were used to perform similar tasks. Those protocols\r\nare rarely used today even though some of them eventually added extensions for encryption. There are several open source\r\nSSH clients available today for virtually every operating system.</p>\n<p>Today, it's well known that unprotected data transfers over the public internet or open Wi-Fi networks are dangerous;\r\ntransmissions can be intercepted or modified. The SSH protocol is a useful tool for addressing this problem by creating\r\na secure remote access connection using encryption, but comes with some caveats.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#why-use-ssh\">Why use SSH?</a></h3>\n<p>If you need to remotely access a server or transfer files, SSH encrypts what you need to send over a public network.\r\nIt's based on a rigorously tested protocol, while being easy to use and highly configurable.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#what-can-ssh-do\">What can SSH do?</a></h3>\n<p>An SSH client is a local application that is used to connect to a remote computer, typically for secure logins as well\r\nas secure file transfers. This functionality is provided by the secure shell protocol, which is a cryptographic network\r\nprotocol.</p>\n<p>SSH also has VPN-like capabilities built into it: SSH supports port forwarding (the client can ask the remote SSH server\r\nto forward an outgoing connection), reverse port forwarding (the client can request that the remote SSH server forward\r\nan incoming connection), dynamic port forwarding (the client creates port forwarding connections on-demand using the\r\nSOCKS protocol) and tunnel device forwarding (the client and server can relay packets to each other, which when combined\r\nwith additional configuration can act as a VPN).</p>\n<p>SSH has some less frequently used features that are sometimes disabled as they can be security concerns: it can forward\r\nX11 connections (showing remote graphical applications on your client machine) and forward its authentication agent\r\n(which permits connecting to other SSH servers using the saved credentials from your client machine).</p>\n<p>All the SSH features can be used simultaneously, enabling the use of multiple sessions over one connection. If a new\r\nsession is desired (and the SSH client supports that feature), then it can attach to an existing connection without\r\nneeding to re-authenticate, which can be very convenient.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#how-can-i-use-ssh-clients-securely\">How can I use SSH clients securely?</a></h2>\n<p>To use SSH securely, users first need to verify the host key of the server they're trying to reach. If the host key is\r\nnot checked, there is no proof that the user is connecting to the server that they expected. The SSH server then needs\r\nto verify either the user's password or authentication key. If the SSH server only accepts connections from a private\r\nnetwork (either because the server is behind a NAT router or to improve security), the user also needs to connect\r\nthrough another server connected to both the public internet and the private network, usually known as an SSH bastion but\r\nsometimes called an SSH jump host, or SSH jump box.</p>\n<p>Used alone, following SSH best practices can be difficult: host keys are often left unchecked, user keys and passwords\r\nare rarely rotated, and connecting through an SSH bastion can be inconvenient. Tailscale can help mitigate the first two\r\nissues and avoid the last issue entirely.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#how-can-i-run-ssh-servers-securely\">How can I run SSH servers securely?</a></h2>\n<p>Although you can permit SSH connections from the public internet, any public SSH server will be subject to automated and\r\npossibly targeted attacks. The automated login attempts often begin within minutes: there are many compromised servers\r\nthat are constantly scanning the public internet for SSH servers with easily guessed usernames and passwords. The\r\ngreatest risk comes from weak passwords, which is why the modern best practice is to disable passwords entirely.</p>\n<p>There is also a smaller risk of compromise through bugs in the SSH server software. Known bugs in older versions of SSH\r\nserver software may allow unauthorized access, and there is always the risk of new bugs being discovered in up-to-date\r\nsoftware. An administrator must ensure that the server is kept up-to-date.</p>\n<p>While authentication keys are a stronger alternative to passwords, SSH doesn't force users to ever rotate\r\nkeys. <a href=\"https://tailscale.com/blog/rotate-ssh-keys\">In practice, almost no one does</a>. Worse, SSH authentication private keys are often stored as normal\r\nfiles, making them easy to copy. This puts many SSH servers at risk, as the possibility of an authentication key being\r\nstolen increases over time as the server accumulates infrequently or never rotated authentication keys.</p>\n<p>Authentication keys stored on a hardware token (such as those sold by Yubikey, Touch ID, smart cards, and other FIDO2\r\ntokens) cannot be copied, which significantly reduces the risk of the authentication key being stolen: the token must be\r\nphysically taken (making purely remote attacks difficult or impossible). Hardware tokens are an excellent choice when\r\navailable, but it can be expensive to supply them to all employees and provisioning them is extra administrative\r\noverhead: each token generates its own authentication key and the tokens themselves can be misplaced, lost or stolen.\r\nThe price of these tokens has dropped over time but their use is still unfortunately not ubiquitous.</p>\n<p>Some SSH servers can authenticate sessions using certificates from a trusted private certificate authority. Certificates\r\ncombine normal authentication keys with a signature from the certificate authority and an expiration time. The main\r\ndifference from normal authentication keys is that the server only needs to store the certificate authority's public key\r\nand trusts that users' authentication keys are acceptable if the certificate authority has issued a certificate. This\r\nsolves the biggest usability issue of key rotation: updating the servers is no longer required. Additional security\r\ncomes from automatically enforced key rotation because the certificates expire. A certificate authority can also sign\r\nSSH host keys, which addresses the problem of verifying the host key when a user connects, as long as the SSH client\r\ntrusts the certificate authority.</p>\n<p>Setting up the certificate authority infrastructure required to grant, revoke and manage certificates is quite complex\r\nand the certificate authority's private key must be very well protected. Today, certificates for SSH are not commonly\r\nused outside of large enterprises.</p>\n<p>An SSH bastion (sometimes called an SSH jump host or SSH jump box) is used by some organizations or users as a gateway to\r\na protected internal network. Users must connect to this bastion first before they can access the protected servers. The\r\nbastion typically has extra monitoring in place to detect intrusions. Unfortunately, bastions are often inconvenient,\r\nhigh-latency and cannot get at the root of the key rotation problem without additional administrative controls.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#advantages-of-using-ssh-with-tailscale\">Advantages of using SSH with Tailscale</a></h2>\n<p>Tailscale works well with SSH clients and SSH servers, improving security and offering a better user experience.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#tailscale-replaces-the-ssh-bastion-reducing-latency-and-avoiding-bottlenecks\">Tailscale replaces the SSH bastion, reducing latency and avoiding bottlenecks</a></h3>\n<p>If you have a global footprint, your traffic might have to traverse a long distance to pass through the bastion before\r\nreaching the SSH server, adding significant latency and sometimes limiting throughput as well. Alternatively, you can\r\noperate multiple bastions, which adds complexity.</p>\n<p>Tailscale removes the need for a bastion entirely by keeping SSH servers on a private mesh network that has\r\npeer-to-peer connections and end-to-end encryption. Not only is SSH more secure this way, it's also typically faster\r\nthan using a bastion.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#automatic-key-rotation-for-the-private-network\">Automatic key rotation for the private network</a></h3>\n<p>While Tailscale does not manage your SSH authentication keys, it does manage access to the private network that permits\r\naccess to the SSH servers. The Tailscale client <a href=\"https://tailscale.com/blog/tailscale-key-management\">rotates its keys</a> according to a\r\nconfigurable time interval.</p>\n<p>If a client device is lost or stolen, the device can be immediately deleted from the admin console. If not deleted from\r\nthe admin console, then when the device's key expires, it can no longer access the Tailscale network. In either case, the\r\ndevice loses access until an authorized user successfully logs back into the Tailscale client. Multifactor\r\nauthentication is required during login if enabled in your SSO configuration, providing additional security.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#verify-connections-and-users\">Verify connections and users</a></h3>\n<p>Normally upon first connection to an SSH server you are shown the SSH host key and you are expected to verify that the\r\nkey is correct (most SSH clients save the host key after the first connection). If the key is not correct, that is an\r\nindication that your connection was intercepted by some other server.</p>\n<p>Tailscale's server distributes public Tailscale key information to all the Tailscale clients and ensures that if you\r\nsuccessfully connect to a Tailscale IP address, you are connected to the correct device, not an imposter. Therefore\r\nalthough it is still best practice to verify the SSH host key, you can be assured that the connection is not being\r\nintercepted.</p>\n<p>Tailscale also helps the SSH server verify the identity of the user connecting to it. When a Tailscale IP address\r\nappears in the server's logs, an administrator can later look up which user that IP address belongs to. For maximum\r\nsecurity, the SSH server can be configured to restrict which IP addresses a username can connect from. Since the\r\nTailscale IP address of a user's device remains fixed unless it is deleted from the Tailscale network, this can be used\r\nas additional proof of the user's identity.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#only-authorized-users-can-connect-to-the-ssh-server\">Only authorized users can connect to the SSH server</a></h3>\n<p>Normally when using SSH, anyone on a public or private network can try to connect to the SSH server. Using SSH with\r\nTailscale, only people who are part of your network and authorized by your network's access control policies can connect to the SSH server.\r\nBy <a href=\"https://tailscale.com/docs/how-to/secure-ubuntu-server-with-ufw\">removing SSH access from the public internet</a>, the risk posed by automated scanning attacks (or\r\nrandom users trying to connect to your SSH server) is eliminated because there is nothing for them to connect to.</p>\n<p><a href=\"https://tailscale.com/docs/features/access-control\">Tailscale access control policies</a> ensure that only authorized users have access to connect to the SSH server. By explicitly stating\r\nwhich users are allowed to access the SSH server, it is significantly more difficult to be compromised by a stolen\r\nauthentication key or weak password (however this is not a substitute for managing authentication keys and passwords).</p>\n<h3><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#smoothly-switch-between-networks\">Smoothly switch between networks</a></h3>\n<p>The Tailscale client is able to detect network changes and can switch which network connection it uses to reach other\r\nTailscale clients without affecting the applications using the Tailscale network. In other words, if you switch between\r\nEthernet and Wi-Fi, between Wi-Fi networks, or between Wi-Fi and a cellular network, then if your SSH client is\r\nconnected through Tailscale, it may pause briefly but will stay connected (assuming that the network switch occurs\r\nreasonably quickly).</p>\n<h2><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#tailscale-ssh\">Tailscale SSH</a></h2>\n<p><a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a> lets Tailscale manage the authentication and authorization of SSH connections in\r\nyour tailnet.</p>\n<p>With Tailscale SSH, you can:</p>\n<ul>\n<li><strong>SSH as normal</strong>, using Tailscale for authentication. With Tailscale SSH, Tailscale takes over port 22 for SSH connections incoming from the Tailscale network. Tailscale will authenticate and encrypt the connection over WireGuard, using Tailscale node keys. The SSH client and server will still create an encrypted SSH connection, but it will not be further authenticated.</li>\n<li><strong>Verify high-risk connections with <a href=\"https://tailscale.com/docs/features/tailscale-ssh#configure-tailscale-ssh-with-check-mode\">check mode</a></strong>. Optionally require certain connections, or connections as certain users (for example, <code>root</code>), to re-authenticate before connecting. This lets the user access these high-risk applications for the next 12 hours or for a specified check period before re-authenticating again.</li>\n</ul>\n<p>If you want to use Tailscale SSH for your SSH needs, follow the instructions at <a href=\"https://tailscale.com/docs/features/tailscale-ssh#configure-tailscale-ssh\">Configure Tailscale SSH</a>. Otherwise, continue to the\r\nnext section.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#getting-started-with-ssh-over-tailscale\">Getting started with SSH over Tailscale</a></h2>\n<p>These steps are an alternative to using <a href=\"https://tailscale.com/docs/features/tailscale-ssh\">Tailscale SSH</a>.</p>\n<p>To get started:</p>\n<h3><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#step-1-install-and-activate-tailscale-on-the-ssh-server\">Step 1: Install and activate Tailscale on the SSH server</a></h3>\n<p>Tailscale is available for essentially any modern Linux distribution, though the installation instructions may vary slightly.</p>\n<p><a href=\"https://tailscale.com/download/linux\">Download Tailscale for Linux</a></p>\n<p>For more sophisticated <a href=\"https://tailscale.com/docs/features/access-control\">access controls</a>, consider using <a href=\"https://tailscale.com/docs/features/access-control/acls\">ACLs</a> or <a href=\"https://tailscale.com/docs/features/access-control/grants\">grants</a>. If desired,\r\nconfigure the SSH server with an <a href=\"https://tailscale.com/docs/features/tags\">tag</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#step-2-install-and-activate-tailscale-on-the-client-machine\">Step 2: Install and activate Tailscale on the client machine</a></h3>\n<p><a href=\"https://tailscale.com/download\">Download Tailscale</a></p>\n<h3><a href=\"https://tailscale.com/docs/reference/ssh-over-tailscale#step-3-connect-to-the-ssh-server-using-tailscale\">Step 3: Connect to the SSH server using Tailscale</a></h3>\n<p>On the SSH server, look up its Tailscale IP using <code>tailscale ip</code>. Assuming that your account name is <code>username</code> and the\r\nIP address is <code>100.100.123.123</code>:</p>\n<pre><code class=\"language-shell\">ssh username@100.100.123.123\n</code></pre>\n<p>If <a href=\"https://tailscale.com/docs/features/magicdns\">MagicDNS</a> is enabled on your Tailscale network, simply connect to the SSH\r\nserver's hostname. For example, for a server named <code>myserver</code>: <code>ssh username@myserver</code></p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}