majorlinux/MajorWiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c4d3f8e9740cea1d237e4c3a7fe164a3e9daec62
MajorWiki/05-troubleshooting/networking/tailscale-ssh-reauth-prompt.md
MajorLinux c4d3f8e974 wiki: add Tailscale SSH reauth article; update Netdata Docker alarm tuning (50 articles) 
- New: Tailscale SSH unexpected re-authentication prompt — diagnosis and fix
- Updated: netdata-docker-health-alarm-tuning — add delay: up 3m to suppress
  Nextcloud AIO PHP-FPM ~90s startup false alerts; update settings table and notes
- Updated: 05-troubleshooting/index.md and SUMMARY.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 00:12:52 -04:00

2.7 KiB
Raw Blame History

Tailscale SSH: Unexpected Re-Authentication Prompt

If a Tailscale SSH connection unexpectedly presents a browser authentication URL mid-session, the first instinct is to check the ACL policy. However, this is often a one-off Tailscale hiccup rather than a misconfiguration.

Symptoms

  • SSH connection to a fleet node displays a Tailscale auth URL: 
    To authenticate, visit: https://login.tailscale.com/a/xxxxxxxx
  • The prompt appears even though the node worked fine previously
  • Other nodes in the fleet connect without prompting

What Causes It

Tailscale SSH supports two ACL action values:

Action Behavior
accept Trusts Tailscale identity — no additional auth required
check Requires periodic browser-based re-authentication

If action: "check" is set, every session (or after token expiry) will prompt for browser auth. However, even with action: "accept", a one-off prompt can appear due to a Tailscale daemon glitch or key refresh event.

How to Diagnose

1. Verify the ACL policy

In the Tailscale admin console (or via tailscale debug acl), inspect the SSH rules. For a trusted homelab fleet, the rule should use accept:

{
    "src":    ["autogroup:member"],
    "dst":    ["autogroup:self"],
    "users":  ["autogroup:nonroot", "root"],
    "action": "accept",
}

If action is check, that is the root cause — change it to accept for trusted source/destination pairs.

2. Confirm it was a one-off

If the ACL already shows accept, the prompt was transient. Test with:

ssh <hostname> "echo ok"

No auth prompt + ok output = resolved. Note that this test is only meaningful if the previous session's auth token has expired, or you test from a different device that hasn't recently authenticated.

Fix

If ACL shows check: Change to accept in the Tailscale admin console under Access Controls. Takes effect immediately — no server changes needed.

If ACL already shows accept: No action required. The prompt was a one-off Tailscale event (daemon restart, key refresh, etc.). Monitor for recurrence.

Notes

  • Port 2222 on MajorRig exists as a hard bypass for Tailscale SSH browser auth — regular SSH over Tailscale network, bypassing Tailscale SSH entirely. This is an alternative approach if check mode is required for compliance but browser auth is too disruptive.
  • The autogroup:self destination means the rule applies when connecting from your own devices to your own devices — appropriate for a personal homelab fleet.

Related

Reference in New Issue View Git Blame Copy Permalink