Tailscale SSH policy doesn't seem to apply correctly | Tailscale Community | Page 1

wise pike Sep 14, 2025, 2:29 AM

#

I have tried many different SSH access control policies, including the examples, but I always get tailnet policy does not permit you to SSH to this node when attempting to use Tailscale SSH.

I am the only user in the tailnet
The server is owned and added by me
Grants/ACLs are set up properly, and work with normal SSH connections
I am attempting to connect as a normal, unprivileged user (not root)
I have used sudo tailscale set --ssh on the server, and the green ssh tag does show next to the machine in the admin dashboard
Port 22 is allowed in the Tailscale zone of my firewall

Version info (exactly the same on client and server):

❯ tailscale --version
1.88.1
  tailscale commit: 032962f4bc982fe8b6b58df01c33cf2904d07d67
  long version: 1.88.1-t032962f4b-gc5ad3b22f
  other commit: c5ad3b22fdb5813c46501f20144c6b29b61acf54
  go version: go1.25.1

It does not work even with this policy file:

{
  "grants": [
    {
      "src": ["*"],
      "dst": ["*"],
      "ip": ["*"]
    }
  ],
  "ssh": [
    {
      "action": "accept",
      "dst": ["autogroup:self"],
      "src": ["autogroup:member"],
      "users": ["autogroup:nonroot"]
    }
  ]
}

Output:

❯ ssh [redacted]@[machine name]
tailscale: tailnet policy does not permit you to SSH to this node
Connection closed by 100.88.147.107 port 22

#

Tailscale SSH policy doesn't seem to apply correctly

wise pike Sep 14, 2025, 2:55 AM

#

I don't know if I would consider it a true solution, but after disabling tailnet lock, removing all of my devices via the dashboard, then reconnecting all my devices, it works properly. I can't reproduce this anymore either.

lost notch Sep 14, 2025, 10:18 PM

#

did the server have any tags on it when you first tried?

#

if you tag a machine, it loses the human identity and its identity becomes the tags it has

#

so in that case the ssh rule would be insufficient

wise pike Sep 15, 2025, 4:44 AM

#

lost notch if you tag a machine, it loses the human identity and its identity becomes the t...

Thanks, I understand why it wasn't working now, I should've looked at the docs more closely!

In my original policy, I was using dest tag:ssh-server and sourcegroup:ssh (because you can't use check mode with tags in src). My user was in the ssh group, but I also tagged my client machine, so my user's groups did not apply.

lost notch Sep 15, 2025, 4:45 AM

#

ahh, makes sense

#

yeah, tags are weird, I don't think people expect them to work the way that they work

#Tailscale SSH policy doesn't seem to apply correctly