ssh jumpboxes without open ports or key rotation risk
Do you change your ssh key less often than you change your password?
Many corporate servers are at risk because of stale or stolen ssh keys that are infrequently or never rotated. One partial solution is an ssh "jumpbox", which makes you ssh into one server in order to relay to another. But jumpbox networks are brittle and high-latency, and in many cases they still don't solve the key rotation problem.
Tailscale rotates its keys hourly or daily. Instead of exposing your ssh servers to the world, keep them on your private virtual network, and let Tailscale allow access only to the people who should have access. This minimizes the damage of any key rotation mistakes.