Satellite Tailscale — Ep.6

🛰️ Satellite Tailscale — Episode 6: Beaming Commands Across the Globe (Tailscale SSH)

"Talk to the hand."
— Arnold Schwarzenegger, Last Action Hero.
"Talk to the terminal. Securely. Without managing SSH keys."
— Tailscale SSH, more practically.

---

🔑 The SSH Key Problem

Let us be honest about traditional SSH key management. It goes like this:

1. Generate an SSH key pair. ✅
2. Copy the public key to the remote machine. ✅
3. Add the private key to your SSH agent. ✅
4. Six months later, get a new device, repeat step 1.
5. Remember to revoke the old key on every server. 😬
6. Forget one server. 😬😬
7. Wonder whether that old key is still out there somewhere. 😬😬😬

This is fine for a single server. It is a maintenance burden for a constellation of devices. And when your "remote machine" is your home Mac Mini and your client is your iPad Mini running a terminal app, the story gets even more interesting — because copying SSH keys between iOS devices requires additional choreography.

Tailscale SSH solves this elegantly: it replaces key-based authentication with identity-based authentication. Your Tailscale identity is your SSH credential. No keys to generate, copy, rotate, or accidentally leave on an old laptop.

---

📋 SIPOC — Tailscale SSH Setup

Suppliers	Inputs	Process	Outputs	Customers
Tailscale SSH feature	Your tailnet (Episodes 2–5)	Enable Tailscale SSH on host → Set ACL SSH policy → Connect	Identity-aware SSH access, no keys needed	You, SSHing from your iPad Mini
Tailscale coordination server	Your identity (from your SSO provider)	SSH session authorised via tailnet identity	Secure shell session on remote device	Any device in your tailnet
macOS SSH daemon (sshd)	Tailscale ACL SSH policy (from Episode 5)	Tailscale intercepts and authenticates SSH connections	Audit log of all SSH sessions in admin console	Your security-conscious self
iOS terminal app (e.g., Prompt 3, a-Shell)	Mac Mini M4 Pro running tailscaled	One-time session check policy (optional)	SSH session with no key exchange required	Future you, troubleshooting from a coffeeshop

---

🚀 Enabling Tailscale SSH

Tailscale SSH is enabled per device on the server side (your Mac Mini). It runs alongside the regular SSH daemon — or, if you prefer, can replace it entirely.

On the Mac Mini M4 Pro

# Enable Tailscale SSH on this device
sudo tailscale up --ssh

# Verify Tailscale SSH is active
tailscale status
# Look for "SSH" in the output

Alternatively, you can configure this permanently in the Tailscale preferences on macOS:

1. Click the Tailscale menu bar icon.
2. Open Preferences.
3. Enable Allow remote access to this device using Tailscale SSH.

That is all. Tailscale SSH is now running on your Mac Mini.

"Hasta la vista, SSH keys."
— Arnold Schwarzenegger, sort of, Terminator 2.

---

📋 Configuring the SSH Policy (Recap)

In Episode 5, we already added this to our ACL policy:

"ssh": [
  {
    "action":  "accept",
    "src":     ["group:owner"],
    "dst":     ["tag:home-base"],
    "users":   ["autogroup:nonroot"]
  }
]

This means: any device owned by group:owner (that is you) can SSH into any device tagged tag:home-base (your Mac Mini) as any non-root user.

If you want to require session checks — where Tailscale asks you to re-confirm your identity for sensitive sessions — you can add:

"ssh": [
  {
    "action":      "check",
    "src":         ["group:owner"],
    "dst":         ["tag:home-base"],
    "users":       ["autogroup:nonroot"]
  }
]

With "action": "check", Tailscale will prompt you to verify your identity in a browser when you start a new SSH session. This is useful for high-security scenarios — for example, if you are about to run something destructive and want a speed bump to think about it.

For day-to-day coffeeshop SSH access, "action": "accept" is perfectly appropriate.

---

📲 Connecting from Your iPad Mini

On your iPad Mini, install a terminal app. Good options:

• Prompt 3 by Panic (polished, excellent SSH client, paid)
• a-Shell (free, surprisingly capable, also supports Python/Git)
• iSH (Linux environment on iOS, for the adventurous)
• SSH Files (combined SSH + SFTP client)

Create a new connection profile:

• Hostname: mac-mini-m4 (MagicDNS name — no IP needed)
• Port: 22
• Username: your macOS username
• Authentication: Password (yes — no key needed with Tailscale SSH) or use Tailscale's identity auth

Connect. If everything is configured correctly, you will be greeted by your Mac Mini's terminal prompt — from your iPad Mini, from a coffeeshop, via an encrypted WireGuard® tunnel, authenticated by your Tailscale identity.

Last login: Tue Mar 24 09:42:11 2026
willem@mac-mini-m4:~$

That prompt is your Mac Mini. You are now there.

🛸 Fun fact: The entire connection chain — iPad Mini → coffeeshop router → ISP → internet → home router → Mac Mini M4 Pro — is encrypted with WireGuard®, authenticated with your Tailscale identity, and governed by the ACL policy you wrote in Episode 5. All of this is invisible to you. You just typed a hostname and pressed Enter.

---

📊 Session Auditing

One of the underrated features of Tailscale SSH is audit logging. Every SSH session — when it started, from which device, as which user, for how long — is recorded in the Tailscale admin console under Logs.

This is useful for:

• Compliance: proving when and how you accessed a device
• Security: detecting unexpected SSH sessions (someone else in your tailnet)
• Curiosity: finding out that you SSH'd into your Mac Mini at 02:17 to check whether a long-running script finished (it had not)

The Terminator would keep detailed logs. So should you.

---

🧪 A Practical Workflow from the Coffeeshop

Here is a typical session from your iPad Mini, sitting in your favourite coffeeshop:

# Connect to Mac Mini
ssh yourusername@mac-mini-m4

# Check what's running
htop

# Check a long-running Docker container
docker ps

# Pull the latest git changes on a project
cd ~/projects/atlas-idp && git pull

# Start a development server
make serve

# Detach gracefully when the flat white is done
exit

All of this, from an iPad Mini, over coffeeshop Wi-Fi, fully encrypted, zero port forwarding, zero exposed IP addresses. The barista has no idea what you are doing. This is as it should be.

---

🔧 Bonus: SSH Config for Convenience

On any macOS or Linux device in your tailnet, you can add an entry to ~/.ssh/config for convenience:

Host mac-mini
  HostName mac-mini-m4
  User yourusername
  Port 22

Now you can type ssh mac-mini instead of the full hostname. Small comfort, but the accumulation of small comforts is the foundation of a happy engineering life.

---

🤖 The Constellation — Updated Status

Device	Role	SSH	Status
Mac Mini M4 Pro	Home Base	✅ Tailscale SSH enabled	Always-on, reachable by name
iPad Mini	Mobile Ground Station	✅ SSH client installed	Roaming, connects from anywhere

You can now command your Mac Mini from anywhere on Earth with a single SSH command, secured by Tailscale, governed by your ACL policy, and logged for posterity.

In Episode 7, we go further. We do not just run commands on the Mac Mini — we see it. We control its desktop, move its mouse, and work on it as if we were sitting right in front of it.

Enter RustDesk.

"I need a vacation."
— Arnold Schwarzenegger, True Lies.
"I need a remote desktop client."
— Also you, probably.

---

📡 Satellite Tailscale is a series about building your personal mesh network using Tailscale — from a coffeeshop iPad Mini to a home Mac Mini M4 Pro, and everything in between.