Tailscale is a way to create a mesh network between your devices using end-to-end encryption. The company has recently announced Tailscale SSH, which allows you to have SSH (Secure Shell or Secure Socket Shell) connections that are done over Tailscale. Instead of using SSH which then has to be distributed to every host or certificates that have to be installed in every location, Tailscale SSH uses the fact that the devices are already on Tailscale, allowing you to manage the authentication of your SSH connection based on your SSO (Single Sign-On).
In this episode of TFiR Let’s Talk, Swapnil Bhartiya sits down with Maya Kaczorowski, Product Manager at Tailscale, to discuss Tailscale SSH in beta and how it simplifies remote connections, taking away the need for SSH keys. She explains the motivation behind creating Tailscale SSH and what sticking points it is tackling.
Key highlights of this video interview are:
- Tailscale has recently released Tailscale SSH, which allows you to have an SSH connection that is done over Tailscale. It encrypts the connection and authorizes it based on your access controls in Tailscale. Kaczorowski explains how Tailscale SSH is different from traditional SSH and the benefits of their offering.
- Kaczorowski explains the steps to set up Tailscale SSH.
- The setup and experience for the admin are different since you do not need to generate a key pair or get the private key onto your device. Kaczorowski describes how the experience is different for a user and what remains unchanged.
- Access controls are defined in the ACLs in Tailscale, and the ACL is pushed to each device individually and that device then enforces access locally to incoming traffic. Kaczorowski explains how access control on Tailscale SSH works similarly and how you can revoke access.
- Kaczorowski shares the three main motivations behind Tailscale SSH. Firstly, the company’s own frustrations at managing SSH keys; secondly, from looking at their user base and wanting to improve their SSH experience; and also, wanting to create a similar solution for SSH as with WireGuard.
- Tailscale SSH is available in beta in all their plans, both paid and free. However, Kaczorowski clarifies some instances where the ACLs would be limited.
The summary of the show is written by Emily Nicholls.
Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.
Swapnil Bhartiya: Hi, this is your host, Swapnil Bhartiya, and welcome to another episode of TFiR Let’s Talk. And today we have with us Maya Kaczorowski, product manager at Tailscale. Maya, it’s great to have you on the show.
Maya Kaczorowski: Thank you so much for having me.
Swapnil Bhartiya: We have hosted Tailscale earlier, so our audience… I do know a bit about the company, but since you are here, and speaking from the context of the announcement that we are going to talk about, which is Tailscale SSH, tell quickly what is Tailscale all about, so that folks will be able to relate to the announcement as well.
Maya Kaczorowski: Tailscale is a way for you to create a mesh network between your devices, to create like a virtual private network, a VPN, so that all your devices are connected together using end-to-end encryption using WireGuard. So that means that you can have your laptop connecting to a server that you have in the cloud, at your friend’s house, whatever it happens to be, and that connection is encrypted and uses your identity from your SSO providers, so your Google identity or GitHub identity, whatever it happens to be.
Swapnil Bhartiya: Excellent. Thanks for talking about the company. Now, I want to talk quickly about yourself. Your career also spans across… Talk a bit about, quickly, your background and also as a product manager, what is your job at Tailscale?
Maya Kaczorowski: Sure. I’ve been at Tailscale for almost a year. Before Tailscale, I was at GitHub working on software supply chain security and before that at Google Cloud, working on container security and working on encryption key management. Been in enterprise security for about a decade, a PM for six or seven years.
In terms of what I do at Tailscale, a product manager role changes in [inaudible 00:01:37] of different places. I have the privilege of working with a lot of very talented, very smart engineers and colleagues in general. And so a lot of what I work on is making sure that what we get out the door fits the customer need and is a really refined experience. Our very smart engineers come up with a lot of the functionality that we should be building and how to make it even better for the user.
Swapnil Bhartiya: Perfect. Now let’s talk about Tailscale, as I said, because when we do talk about SSH in the system, security, you have to either create your keys on local machine… There are so many ways, all those things. So the reason I want to ask is, and also I want to relate to your previous experience is… We’ll find a security angle as well there. So let’s talk about what is Tailscale SSH and how it’s different from either traditional SSH or how it’s different when you deploy SSH on a mesh network.
Maya Kaczorowski: For sure. So Tailscale SSH allows you to have SSH connections that are done over Tailscale. So instead of using SSH keys, which you then have to distribute to every host, or certificates or using a bastion, which you then have to install in every location that you’re going to try to SSH from, Tailscale SSH uses the fact that you have a mesh network and uses the fact that your devices are already on Tailscale, and lets you manage the authentication of your SSH connection based on your Tailscale identity, based on your SSO. Encrypts the connection, both using SSH and using WireGuard, which is part of Tailscale, and authorizes the connection based on your access controls in Tailscale. So you can control exactly who has access to what in your network, based on a configuration file and code. You can revoke access when somebody leaves or changes teams or whatever it happens to be. And you know that that connection is end-to-end encrypted and secured.
Swapnil Bhartiya: Perfect. And the interface is CLI-based or GUI as well?
Maya Kaczorowski: So to set up Tailscale SSH, you need to opt in a device, and that’s through the CLI. And then once you opt it in, the device, to Tailscale SSH, so as a destination for your SSH connection, you need to also make sure there’s an ACL, an access control, that allows a user to connect to that device. You can modify that through the UI, on the web, or through the API.
I’ll say that again.
You can modify that through the UI on the web or through the API. And once you have both that device opted in and an ACL that permits access, then the user can just connect directly. So they can just use their normal terminal, their normal SSH client, whatever they prefer to use, to then connect directly to that device.
Swapnil Bhartiya: So how different is the [inaudible 00:04:15], irrespective of Windows, PowerShell, macOS or Linux, and I fire up a terminal or I can log through my SSH. How different is the experience for a user?
Maya Kaczorowski: That’s actually kind of magic, is it isn’t. So once you set it up, there’s nothing that’s different for the user. They can use their normal SSH client. They can use the scripts and things that they’ve always had as part of that SSH connection.
The setup is different and the experience for the admin is different. You don’t have to generate a key pair. You don’t have to figure out how to store your private key somewhere secure. You don’t have to figure out how to get your private key onto your iPad, if you’re trying to code from your iPad. That part is gone, but the actual core SSH experience is unchanged.
Swapnil Bhartiya: Excellent. Also, I also want to talk quickly about the admin part as well. How do they manage, of course, access to authenticate the user also? When people move out or they want to revoke access, how does the whole process work? How much control, visibility they get into who has access to what?
Maya Kaczorowski: When you define your ACLs that you have in Tailscale, you can define which source, like which user, has access to which destination, like which device or tag or whatever it happens to be, within your network, which IP range in your network. Based on that access control, Tailscale will allow or not allow the connection. This is done by pushing the ACL to each device individually and then having the device enforce access locally on that device to any incoming traffic.
So Tailscale SSH works very similarly. You can define centrally what users or what sources can connect to what destinations in your network and push those configurations down to the devices and then have those enforced locally. And that’s pushed almost instantaneously. So if I wanted to change teams or remove your access, or whatever it happens to be, then I could just update the ACLs and it’ll automatically get pushed the device within a matter of seconds and you would no longer have access to SSH to that device anymore.
Swapnil Bhartiya: Excellent. Thanks for explaining that. Now, I also want to talk a bit about what is the driver or motivation behind this. First of all, if you just look at this, there are so many problems that developers… Some problems we are so used to it, we accept them, we have to make those trade offs, but what is specifically… Like, “We need to bring Tailscale SSH because this is addressing this specific pain point, which we think is important.”
Maya Kaczorowski: I think part of the motivation is just internally, coming from our own ability and our own frustration with having to manage SSH keys and realizing that when somebody leaves the company or things like that, you have to go touch every device to remove it. It’s not practical. And it doesn’t scale very well.
Some of the other motivation comes from our user base. We looked at our user base and saw that a large amount of our connections are SSH connections and figured, “How can we make that even better? How can we make that experience of SSH into another device even better because you’re using Tailscale?”
And then a third motivation, although I’m sure there’s more than just three, is that if you look at what Tailscale does really well for WireGuard… So WireGuard is the underlying encryption and network protocol that Tailscale uses, it’s about tying WireGuard to your user identity and managing WireGuard configurations. WireGuard thinks about your identity in terms of your public key, instead of, say, a public IP address. That’s really similar to how SSH thinks about your identity. SSH thinks about your identity in terms of a public key. And so we figured if we can do this kind of solution for WireGuard, for network connections, the same model, the same idea applies to SSH, in terms of managing your public keys, giving you access to certain things, letting you make that connection, et cetera. The model translates really well from WireGuard to SSH.
Swapnil Bhartiya: And once again, it runs on every platform, right? Whichever platform developer using it, it’s not as specific to any particular… Mac, Windows or Linux or whatever, right? Or the cloud?
Maya Kaczorowski: The destination device has to be a Linux device for now, but your source device can be any device that runs Tailscale, so you could SSH from your iPad to your Linux workstation, from your Android phone, whatever it happens to be that you want SSH from.
Swapnil Bhartiya: Now let’s quickly talk about how folks can access it. Is it available for trial or demo, free or do they have to pay for it?
Maya Kaczorowski: Tailscale SSH is available in beta to everyone, and it’s available on all of our plans, including our free plans. It is priced the same way that we price other ACLs, other access-control lists, where you count ACLs that restrict the number of users using Tailscale SSH, it just counts as part of a…
I’m going to say this all again. Confusing myself. Okay.
Tailscale SSH is available in beta for everyone. It’s available for free or included in all plans, including our free plan, Tailscale SSH ACLs count as part of the unique users and ACLs that are limited in some of our paid plans.
Swapnil Bhartiya: Maya, thank you so much for taking time out today and talk about not only Tailscale SSH, but also in general the pain points some developers face. You said you are scratching your own itch and you realize that it’s helpful for everybody else and that’s a typical tech story that we hear every day.
Thank you for sharing all those insights. And I would love to have you back on the show. Maybe we can do a demo also in the future. Thank you.
Maya Kaczorowski: Thank you so much and would love to do a demo.