What is Tailscale SSH? | Tailscale Explained

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone it's Alex from tail scale here and in today's video we're going to be talking about tail scale SSH one of my absolute favorite features I use SSH all day every day to connect to devices in development and production environments and I'm going to show you how we can use tags to isolate the identity of those connections and make things more secure across your infrastructure so if you've been looking for the fastest way to get started with tail scale SSH then this is the video for you in order to get started with tail scale SSH you'll need to turn it on now the easiest way to do that is to go to the console of your system in my case this is a digital ocean droplet and I'm going to do tail scale status just to double check them on the correct tail net and then tail scale set-- ssh what you'll notice in the console underneath here we can see that I've got a little green button has appeared on my tail scale admin console so now what we can do is we can SSH into that node using the tail scale machine name so no IP addresses are required I can do Dev hyen web nyc1 and that lets me SSH from my local Dev VM behind a firewall all that kind of stuff out to a machine running on digital ocean with no SSH Keys configured whatsoever so if I just show you the SSH directory of my Local auntu Host there's no keys in there I didn't have to type in any passwords and I can SSH now as root into that Cloud Server now the paranoid amongst you might be thinking that was too easy perhaps you'd like to add a little more friction and a couple more checks to this process so let's jump into the tail scale acl's these can be found under the admin console under the access controls panel if we change this action from uh accept to check I'm also going to change the check period to every minute the default by the way is 12 hours on this I'm going to change it to every minute just so that it forces another check for me for the demo it's now going to say we need to verify that you are who you say you are please log in and authenticate and as soon as I do that I sign in with my Google account here we'll see that in real time boom we're now authenticated to that remote SSH node with another check now what happens if we're on call and we get paged at An Inconvenient time maybe we don't have our laptop with us but we do have the ability to you know borrow a relative's laptop or a friend's laptop and actually Connect into a web browser well we can create an ephemeral SSH session in the browser so what this is going to do is it's going to create an ephemeral node and add it to my tailet in real time I'm going to connect to this tail scale node and you can see that underneath here I've got an SSH console an ephemeral node so what that means is as soon as this SSH session finishes this node is going to delete itself from my tailet and I can do whatever I was going to do on that node as if I was connected from an a real browser or a real terminal we do have some safety Wheels in place too so for example if you were to do tail scale set-- SSH equals false it's going to say are you sure you want to do this because this is going to break the SSH connection for you so what we have to do in this case is do a dh- accept risk equals lose SSH because this is going a new Car Connection you can see immediately the ephemeral connection terminated and the SSH badge was removed from our tail net here now if I refresh the page in just a moment or two this ephemeral node will disappear the next thing I'd like to talk to you about are tags now these are absolutely vital for restricting access to different types of resources so we don't necessarily want our Dev machine to be able to access production for example you know for the moment right now I can do Dev web nyc1 as root I can SSH there I can also SSH as root to production straight from my VM and that's because at the moment the identity is set to a tail and scales gmail.com these devices were added by me so they assume my identity now what we can go ahead and do in our access controls is Define a bunch of tags you see here I've got two I've got a tag for Pro and a tag for Dev I've also got a couple of user groups I've got a group for admins of which I am a member so my identity gets subsumed into this group admin I've also got a Dev group this Amal user for example is in the developers team and then under SSH policy a little bit further down I've got uh configured a rule which allows developers to SSH into nodes tagged with the Dev tag so to to do this we want to jump over to the machines page and actually on my developer machine click the three dot menu click edit ACL tags and add the tag of Dev I'm going to do the same thing for the production node I'm going to add the tag of prod and you can see that the identity of these nodes is now no longer mine it doesn't have my username underneath them it has the tag as the owner of this instance and so what this means is that now in fact I left the SSH Connection open in the background whilst I added that tag and in real time the access was revoked by the tail scale SSH engine so if I try and SSH back into production now from this machine it's not going to let me but it will let me connect back into my Dev machine in the cloud using the acles that we provisioned underneath in the access controls so let's go ahead and show you this in action in real time let's say I want to enable myself to SS s into production I'm going to allow anybody who's a member of the dev group to access an SSH into a production resource now the members of this group remember are defined at the top here so group Dev is my username as well as Amal uh I've now added the tag prod to this rule set that's here I click save and in real time I'm now able to connect into production using the rules I've just defined in my acl's but where it gets really cool is these get pushed down to each client device in real time so if I go ahead and remove that tag and click save look it's instantly instantly revoked the access to that SSH session in the other window now these rules are great because they let you control who can access which resources on your tailet depending on source of group or a certain device based on things like device posture we recently added you can now limit things to say only users running Linux can connect to production or only running iOS 17.2 the most recent release at the time of recording can connect into certain resources and so on now wouldn't it be great if when we're adding a certain node to our tailet we could use something like an off key to automatically Define things like the tag so when a node gets added we don't have to go and manually tag it we can automatically assign the roll or the tag to that node when we create the or key so I'm just going to go ahead and show you how to do that real quick so up in the tail scale admin console you go to settings and then click Keys down here on the left and then when we click generate or key we've got a few options so I'm just going to call this demo 90 days is fine but down the bottom here there's an option called Tags so now any node that I add to my toet with this or key will automatically assume this tag this could be really handy for cic instances and things like that so you've got a a Jenkins server or a GitHub action that's creating an instance with an or key it adds the node to your town net does whatever it needs to do sshs and does a deploy to production or whatever and then it only has permission and you limit the blast radius of what that SSH connection can do based on the or key with the automatic tagging underneath so those are the basics of tail scale SSH I sometimes wonder how we lived without this for so long having centralized way to manage SSH keys I mean in previous roles I've been in I've had folks who have written complicated anable playbooks to add and remove SSH keys and inevitably when people get off boarded those keys remain on the boxes for longer than they perhaps should when folks are getting onboarded it takes too long there's just too much friction to get the keys on the boxes in the first place with tail scale SSH all of that becomes a complete non-issue and so you can get started with tail scale with up to three users and 100 devices for free at tailscale tocom until next time I've been Alex from tailscale
Info
Channel: Tailscale
Views: 3,344
Rating: undefined out of 5
Keywords:
Id: 08clF9srJ2k
Channel Id: undefined
Length: 9min 9sec (549 seconds)
Published: Fri Dec 22 2023
Related Videos
A Homelabbers Networking Playground with Opnsense, Proxmox, VLANs and Tailscale
Tailscale
13K
How to get started with Tailscale in under 10 minutes
Tailscale
15K
Serve and Funnel | Tailscale Explained
Tailscale
5.4K
Adobe's UI Library is Finally Out
Josh tried coding
9.7K
Switching pfSense Software to OPNsense
Zenarmor
2.1K
Why I no longer use a VPN (most of the time) and nor should you
Sun Knudsen
981K
X-pipe - Open Source, Connection Hub for SSH, Powershell, Docker Container access, and so much more
Awesome Open Source
36K
Automating My Life with Python: The Ultimate Guide | Code With Me
Tiff In Tech
633K
Use Tailscale on your Apple TV!
Tailscale
8.5K
I Ran Advanced LLMs on the Raspberry Pi 5!
Data Slayer
36K
Blicube BliKVM V4: Is This the Best Linux IP KVM Yet?
Lawrence Systems
65K
Your Minimalist Docker UI - Lazydocker
Raid Owl
20K
Coding with an AI pair programmer: Getting started with GitHub Copilot
GitHub
40K
STOP using VPN, embrace Zero-Trust networking!
Christian Lempa
56K
Network Pack-its: Travel Tips For Techies
Tailscale
3.6K
Comparing Top Overlay VPN Networks: Tailscale, Netbird, Netmaker, Zerotier
Lawrence Systems
21K
Installing Private GPT to interact with your own documents!!
Novaspirit Tech
11K
BREAKING: CEO Figure Robot DROPS AI Breakthrough!
Brighter with Herbert
90K
NAS vs. Home Server – What's the difference?
Wolfgang's Channel
100K
Busting 8 Common Homelab Power Efficiency Myths
Wolfgang's Channel
72K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.