Tailscale SSH
62 points
by tosh
28 days ago
| 4 comments
| tailscale.com
| HN
cbushko
28 days ago
[-]
Tailscale ssh is very useful when away from your home network. Setup was pretty easy and the only 'gotcha' that I found was you cannot assign ssh to a mac machine if you are using the gui app. No worries though as it was easy to get tailscaled running with nix-darwin.

I am often away from my home network and my main gaming machine is asleep. I worked around this by installing tailscale + tailscale ssh on my router (yes you can to this!) and using it to send a wake-on-lan packet to my gaming machine.

Some useful fzf code for anyone that wants to get a listing of tailssh machines.

  tailscale status --json | jq -r '
    .Peer[] |
    select(.Tags?[]? | contains("tag:dev")) |
    "\(.DNSName)"' |
          sed 's/\.$//' |
          fzf --ansi --border-label="| Tailscale SSH Hosts |" --height=30% --  border=rounded \
              --margin=2,2,2,2 --prompt "Connect to: " --preview-window=top:40% \
              --bind "j:down,k:up,ctrl-j:preview-down,ctrl-k:preview-up,ctrl-f:preview-page-down,ctrl-b:preview-page-up"
reply
saghm
28 days ago
[-]
Several places in that documentation indicate that Tailscale "takes over port 22" to use for ssh coming from within Tailscale's network, but it also claims this:

> Your SSH config (/etc/ssh/sshd_config) and keys (~/.ssh/authorized_keys) files will not be modified, which means that other SSH connections to the same host, not made over Tailscale, will still work.

Am I misunderstanding what's meant by "taking over" port 22, and it can also still be used by sshd for connections outside of Tailscale, or is the claim that other ssh connections will still work predicated on using a non-default port? If the latter, I'm surprised they don't pick another port instead to use for ssh coming from within Tailscale's network since it seems like they should able to control the port the client-side connects to as well, and then it wouldn't interfere with existing ssh. It would be strange to tout not interfering with existing ssh access if they left probably the biggest way to avoid interference untouched.

reply
patrakov
28 days ago
[-]
They don't even bind the port. Instead, their client gives special treatment to packets arriving on port 22 over the tunnel instead of giving them to the kernel over the tailscale0 interface.
reply
stavros
28 days ago
[-]
I haven't used it much, but in my experience it takes over port 22 over Tailscale. If you don't contact the Tailscale IP, nothing changes in your SSH.
reply
lokar
28 days ago
[-]
I assume they only bind to the IP of the WireGuard interface
reply
bradfitz
28 days ago
[-]
(Tailscale employee who worked on this)

As patrakov said above, we don't bind at all with the OS kernel. The packets come in, are Wireguard decrypted (in userspace) and then TCP/IP is also done in userspace (gvisor) before Tailscale SSH takes over, handling the connection (~net.Conn) from gvisor.

reply
saghm
28 days ago
[-]
Good to know! The wording doesn't really make this clear at all to me honestly; "take over" doesn't really seem like a well-defined term to me, but it sounds pretty "complete" in terms of owning it fully. As mentioned in a sibling comment, the part of the sentence after that reads to me like an explanation of why rather than additional technical details of what's actually being done, but obviously I'm only a sample size of one, so maybe this is more clear to the average reader than it was to me.
reply
aidos
28 days ago
[-]
“Tailscale takes over port 22 for SSH connections incoming from the Tailscale network
reply
saghm
28 days ago
[-]
Yes, I read that sentence. To me, "take over" doesn't sound like a "partial" thing, it sounds like it fully takes it over, and "for" sounds like it's just saying why it takes it over, not that it only partially takes control of it. The reason I asked is because I felt like the documentation implies something else despite the wording sounding like this.

Generally speaking, if someone quotes something and asks a clarification, it's because they don't find the wording clear. Repeating it, even with italics, doesn't make the wording any more clear to someone who already doesn't think it's clear.

reply
tekla
28 days ago
[-]
> The reason I asked is because I felt like the documentation implies something else despite the wording sounding like this.

It literally tells you in the same section what they mean by that sentence and implications for normal SSH. it doesn't imply anything past what reading a few more sentences would say.

> it sounds like it fully takes it over, and "for" sounds like it's just saying why it takes it over, not that it only partially takes control of it

No it doesn't.

> Your SSH config (/etc/ssh/sshd_config) and keys (~/.ssh/authorized_keys) files will not be modified, which means that other SSH connections to the same host, not made over Tailscale, will still work.

> Tailscale takes over port 22 for SSH connections incoming from the Tailscale network. Tailscale will authenticate and encrypt the connection over WireGuard, using Tailscale node keys. The SSH client and server will still create an encrypted SSH connection, but it will not be further authenticated.

What is hard to understand about this?

reply
saghm
28 days ago
[-]
> it doesn't imply anything past what reading a few more sentences would say.

> Your SSH config (/etc/ssh/sshd_config) and keys (~/.ssh/authorized_keys) files will not be modified, which means that other SSH connections to the same host, not made over Tailscale, will still work.

I literally quoted the section about the ssh config files in my original question, so obviously I read further than that one sentence you requoted first.

> No it doesn't.

To you, it doesn't. To me, it does. If you don't think different people can interpret the same words slightly differently in a way that changes the meaning, I'm not sure why you'd bother trying to explain to me what it means.

> What is hard to understand about this?

The exact parts that I asked about and got helpful explanations about from other people in this thread. I read the two parts you quoted (after I had already quoted them before your original response), and I thought that the first part was vague in a way that the second part conflicted with, so I asked a question for clarification.

reply
varun_chopra
28 days ago
[-]
This works really well. It would be interesting to see if someone implements something similar, but independent of Tailscale. (and completely open source)

There are other implementations, such as AWS's Session Manager and Teleport, that implement SSH and allow authentication using IAM and Teleport.

The added features, like SSH session recordings, are great to have.

reply
johnklos
28 days ago
[-]
This seems like it's just extra work in place of ssh -J, perhaps even just ssh -J through a Tailscale ssh daemon. Or am I missing something?
reply