Networking / Security / Software Development

Tailscale SSH Launches in Beta to Replace SSH Keys

23 Jun 2022 10:32am, by

Tailscale, which makes software for interconnecting and securing devices introduced a beta release of Tailscale SSH, which simplifies authentication and authorization by replacing SSH keys with the Tailscale identity of any machine.

A Secure Shell or SSH key is an access credential in the SSH protocol. Its function is similar to that of usernames and passwords, but the keys are primarily used for automated processes and for implementing single sign-on by system administrators and power users, according to SSH.COM.

Tailscale gives each server and user device its own identity and node key for authenticating and encrypting the Tailscale network connection and uses access control lists defined in code for authorizing connections, making it a natural extension for Tailscale to now manage access for SSH connections in your network.

Removes the Pain

“SSH is an everyday tool for developers, but managing SSH keys for a server isn’t so simple or secure,” said Tailscale Product Manager Maya Kaczorowski, in a statement. “SSH keys are difficult to protect and time consuming to manage. Protecting your network connections with SSH keys requires that admins spend significant resources managing, provisioning, or deprovisioning user access. Tailscale SSH removes the pain from SSH key management with the same powerful simplicity Tailscale offers for virtual private networks.”

Tailscale SSH enables you to establish SSH connections between devices in your Tailscale network, as authorized by your access controls, without managing SSH keys, and authenticates your SSH connection using WireGuard, said Brad Fitzpatrick, co-founder of Tailscale in a blog post co-authored by Kaczorowski, along with Maisem Ali and Ross Zurowski who are both developers at Tailscale.

According to the company, with Tailscale SSH, users can securely code from their iPad running Tailscale, across operating systems to a Linux workstation, without having to figure out how to get their SSH private key onto their iPad. Moreover, Enterprise Tailscale customers will reduce churn and resources on SSH key management or bastion jump boxes, and avoid risk of exposing memory unsafe servers to the open internet, the company said.

What Makes It Different?

What makes Tailscale different from other SSH solutions?

“When you enable Tailscale SSH on a device, Tailscale claims port 22 for any traffic incoming to that device to its Tailscale IP address — that is, only for traffic coming over Tailscale,” the blog post said. “This traffic is rerouted to an SSH service inside the Tailscale daemon instead of to your standard SSH server. When you create a new SSH connection from a client to this server over the Tailscale network, the server already knows who the remote party is and takes over, and does not require the SSH client to provide further proof.”

The Tailscale SSH beta provides authentication and encryption, single sign-on and multi-factor authentication to protect SSH connections, built-in key rotation, the ability to re-verify SSH connections, the ability to easily revoke SSH access, the ability to manage permissions as code, reduced latency with point-to-point connections, and the ability to easily add new users or servers.

“Tailscale is seriously the best user experience of my life,” said Kris Nóva, a senior principal engineer at Twilio and published distributed systems expert, in a statement. Nova used Tailscale to create a private network between her home lab in New York and a datacenter in Iceland.

“I ran a Kubernetes 1.24 cluster on Tailscale with eBPF CNI networking on top of a tailnet, which connects my private subnet at home, across the Arctic Ocean to a private subnet in a volcano-powered datacenter in Iceland,” she said. “It blew my mind how easy and powerful it was to use…”

Like the Old GitHub

Meanwhile, in a tweet, Jon Maddox, co-founder of Fancy Bits, which provides the Channels live TV and DVR service, said:

“Tailscale (@Tailscale) is the only group that comes close to reminding me of early @github. Taking incredible software that’s horrible to use, to create amazing, useful, needed experiences.”

Maddox spent eight years at GitHub and joined another former GitHub-er, Aman Karmani, in founding Fancy Bits and building Channels.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Tailscale.