HomeDocumentationAPI Reference
Log In
Documentation

Tailscale SSH

The Tailscale VPN service (https://tailscale.com/) supports transparent SSH authentication when connecting between hosts in a tailnet. Authentication and authorization are enforced by Tailscale policies instead of using SSH passwords or keys.

When the Sandfly node is on a machine that is part of a tailnet, Sandfly supports connecting to target hosts via Tailscale SSH.

Scanning with Sandfly

To scan a host in your tailnet using Tailscale SSH, ensure both the Sandfly node host and the target host you wish to scan are in the same tailnet.

Target host setup

If using a dedicated account on target hosts for Sandfly, create the user account for Sandfly. The user must have sudo permission. If the user requires a password for sudo, make sure the user has a password set and make note of it.

Enable the Tailscale SSH server with the command tailscale up --ssh.

Tailscale ACL setup

For Tailscale SSH to allow connections, the network ACL and SSH policies must allow Sandfly nodes to connect to target hosts with the correct user. Specifically:

  1. The network policy must allow the Sandfly node(s) to connect to the target host(s) on port 22.
  2. The SSH policy must allow the Sandfly node(s) to connect to the target host(s) with the "sandfly" or other desired user.

For management of multiple hosts, a simple approach would be to tag all of your Sandfly nodes as "sandfly-node" and all of your target hosts as "sandfly-target", then create ACLs allowing connectivity from the sandfly-node tag to the sandfly-target tag.

A partial Tailscale ACL to allow Sandfly to connect to all of the "sandfly-target" hosts as the user named "sandfly" could be:

{
  "acls": [
    {
      "action": "accept",
      "src":    [ "tag:sandfly-node" ],
      "dest":   [ "tag:sandfly-target:22" ]
    }
  ],
  
  "ssh": [
    {
      "action": "accept",
      "src":    [ "tag:sandfly-node" ],
      "dest":   [ "tag:sandfly-target" ],
      "users":  [ "sandfly" ]
    }
  ]
}

Sandfly setup

To add hosts to Sandfly, first create a credential in Sandfly. Tailscale SSH does not use passwords or SSH keys, but it does need to know the username the connection should use. Also, if the user requires a sudo password, Sandfly uses the user's password from the credential you set up in Sandfly:

  1. Create a Username/Password credential in Sandfly.
  2. Set the username to the user on the target host(s) Sandfly should connect as (matching the allowed user in the Tailscale SSH policy).
  3. If the user requires a sudo password, enter that password in the credential. If the user does not need a sudo password, enter a placeholder password (e.g. "test1234") since the password field is required.

You may now add hosts using the new credential. You must ensure that Sandfly connects to the host over the tailnet, so use the host's 100.x.x.x IP address assigned by Tailscale.

Known Limitations

Because the Sandfly node runs in a Docker container on the node host, Tailscale Magic DNS names (machine short name or machine-name.tailxxxxxx.ts.net) may not resolve inside the container. For reliable connectivity, add hosts to Sandfly by their Tailscale IP address (100.x.x.x).

Sandfly connections to target hosts are non-interactive, so the "check" mode of Tailscale SSH that forces occasional re-authentication by a user is not supported. The Tailscale SSH policy must be "action": "accept", not "action": "check".

Updated 11 days ago