SSH Secure Shell is a networking protocol that permits secure access to remote systems. Administrators rely on SSH to obtain shell connections to servers, edge devices, and infrastructure components.
SSH uses cryptography to authenticate connections. Data exchanges are encrypted to prevent data exposure so third parties can’t intercept communications. However, this doesn’t mean that plain SSH is automatically safe to use as is within your environment. Real-world scenarios require robust access controls, auditing capabilities, and key rotations to integrate SSH into your existing business and security processes.
In this article, you’ll learn how to securely use SSH to connect to devices in remote working scenarios. Because this ultimately requires devices to communicate across separate physical networks, it’s imperative that you take a defense-in-depth approach to protect your connections.
Why Is SSH So Important?
SSH is a ubiquitous connection protocol that’s become the default way to establish shell sessions on remote devices. It’s a tool administrators instinctively reach for when remote access is required.
Unlike predecessors such as Telnet, SSH is specifically designed to facilitate secure connections. It achieves this through the inclusion of built-in authentication and encryption capabilities. Several different cryptographic methods are supported, including RSA, DSA, and ECDSA.
SSH can do more than just initiate remote shell sessions too. It also supports file transfers, typically initialized using scp, and port forwarding. The latter allows you to locally access network applications running on remote hosts.
Securing SSH Access for Remote Workforces
Remote work brings unique operational challenges. Historically, servers were usually on the same physical network as an administrator’s workstation. Now, they’re often on a completely different network that’s hundreds or thousands of miles away—either in a public cloud such as AWS or Azure or in your own private data center with users connecting from home.
Standard SSH implementations of which OpenSSH is the most popular for Linux systems can still support this scenario—after all, SSH is specifically designed to facilitate secure remote access.
But for a simpler user experience as well as further enhanced security, your remote teams can benefit from alternative solutions that are fully integrated with your private network layers.
Using Tailscale to Secure SSH Access
Tailscale is a mesh-capable business VPN provider that connects your devices into a private network using the WireGuard protocol. The service has integrated SSH support that allows you to access the devices within your network.
Tailscale replaces your existing SSH server, removing the need to run OpenSSH on the machines you’ll be connecting to. Your devices can be directly accessed on your Tailscale tailnet without having to expose them to the internet. This simplifies connections and enables powerful Tailscale-managed functionality such as access control lists and key rotation, which we’ll explore below.
Tailscale is quick and easy to deploy. It supports Windows, macOS, Linux, iOS, and Android, as well as integrations with major cloud providers and container orchestrators. Once you’ve set it up and enabled SSH, remote workers on any platform can seamlessly access the devices and endpoints that are part of your Tailscale network (tailnet).
Here’s how Tailscale supports simple and secure SSH for remote workers.
Access Control Lists
Managing SSH access is hard: you need to fiddle with Unix user accounts and key exchanges to set up new users and grant them access to your hosts. Similarly, you must remember to deauthorize users if they leave your organization or no longer require access.
Tailscale SSH removes all this complexity. You can centrally manage SSH access policies using Tailscale access control lists, which precisely identify the users with SSH access into a particular host. You can modify policies on the fly without manually reconfiguring any of your devices.
To remove a user’s access, you need only clear their ACL rules or suspend their Tailscale account. This eliminates the risk of users silently retaining access long after they should have been deprovisioned.
Use Your Existing Identity Provider
Tailscale uses your existing identity provider for authentication. This ensures that all the constraints you’ve enabled on the authentication platform, such as mandatory 2FA, need to be met before users can access your network. Tailscale natively supports Apple, Google, GitHub, Microsoft, Okta, and OneLogin logins, and this list can be extended with custom OIDC integrations.
Furthermore, Tailscale lets you require reauthentication before SSH access is granted to a user. You can enable this capability using an option in your SSH ACLs. It can be mandated for every SSH invocation or after a specified time period elapses.
Reauthentication lets you assert that users were still allowed access to the target device at the point they initiated a connection. Even if an attacker gains access to your Tailscale network, they’ll be prevented from gaining SSH access to your devices without first reauthenticating with your identity provider.
Automatic Key Management
Using Tailscale for SSH ends the clunky process of managing and distributing SSH keys. Unlike regular SSH workflows—which require administrator intervention whenever a new device or user must be onboarded—Tailscale automatically sets up encrypted access between the devices in your network. You can forget about running
ssh-keygen and copying id_rsa.pub files around.
Tailscale also supports regular rotation of keys that secure your private network. Even if attackers manage to acquire a valid key pair, they will lose access to your devices when a rotation occurs.
Tailscale automatically generates new keys for any new devices on your tailnet, and distributes the new key to your other network devices.
End-to-End Encryption with WireGuard
Tailscale encrypts all network communications using the industry-leading WireGuard protocol. It’s open source, modern, and custom-built to secure private VPNs.
As Tailscale SSH traffic passes through your Tailscale network, it’s end-to-end encrypted with WireGuard in addition to the standard encryption applied by the SSH protocol. This provides an extra layer of protection and tamper resistance.
No Public SSH Server Exposure
Using Tailscale for remote access means you don’t have to publicly expose an SSH server on your devices. This reduces your attack surface and prevents you from becoming the subject of speculative port scanning attacks.
Instead of installing OpenSSH, exposing it on a public port, generating key pairs, and distributing them to clients, you can simply install Tailscale on each of your devices and run the
ssh command to connect to other machines in your tailnet.
Use Session Recording to Capture Audit Data
SSH connections are convenient, but they can pose compliance headaches. It’s difficult to obtain oversight of who’s connected to each host and which commands they’ve run.
Tailscale includes built-in SSH session recording that allows you to capture all terminal input and output. You can enforce session recording using a flag in your ACL policies.
Recordings are an invaluable source of audit data. You could use your recordings to support security investigations or simply review the past actions that remote workers have applied to a host. Recordings are stored in asciicinema format so you can inspect their text, replay them in your terminal, and convert them to videos.
Although SSH is ubiquitous on desktop devices, it’s less accessible on mobile operating systems. These platforms lack built-in SSH clients, and it’s often cumbersome to import keys into third-party clients.
Tailscale SSH works on all your devices, regardless of operating system. Once you’re connected to your Tailscale network, you can SSH into the remote hosts you’ve been granted access to—without having to manually copy private keys or learn the target host’s IP address.
This flexibility ensures remote workers can securely bring their own devices, even if they prefer a different platform to colleagues. It also accommodates workflows where individuals sometimes require field access from their mobile devices. Tailscale offers the same combination of convenience and security everywhere you work.
Tailscale: Secure SSH Access for Remote Workers
SSH is venerable, but it’s no longer sufficient to support modern remote working on its own. Yes, SSH supports key rotation, private certificates, and hardware keys, but in practice, organizations rarely use these features because they add operational overheads.
Even when SSH is correctly hardened for security, its lack of centralization means it’s relatively difficult to administer. You don’t have easy oversight of who can access which device, nor is there a straightforward way to manage key distribution.
Tailscale SSH addresses these problems by providing an SSH experience that allows remote workers to securely connect between devices with zero configuration. Simultaneously, Tailscale SSH enhances security by letting administrators use central ACLs to control access, manage key rotations, and enforce reauthentication before connections to sensitive endpoints are allowed. It achieves this within a private, end-to-end encrypted network that’s opaque to the outside world.
Get started with Tailscale today.
Frequently Asked Questions
Here are some answers to common questions.