Show HN: Ts-SSH – SSH over Tailscale without running the daemon (github.com)
ts-ssh solves a specific problem: accessing machines on your Tailnet from
environments where you can't install the full Tailscale daemon (like CI/CD runners or
restricted systems).
It uses Tailscale's tsnet library to establish userspace connectivity, then provides
a standard SSH experience. Works with existing workflows since it supports normal SSH
features like ProxyCommand, key auth, and terminal handling.
Some features that proved useful:
• Parallel command execution across multiple hosts
• Built-in tmux session management for multi-host work
• SCP-style file transfers
• Works on Linux/macOS/Windows (AMD64 and ARM64)
The codebase is interesting from a development perspective - it was written almost
entirely using AI tools (mainly Claude Code, with some OpenAI and Jules). Not as an
experiment, but because it actually worked well for this kind of systems programming.
Happy to discuss the workflow if anyone's curious about that aspect.
Source and binaries are on GitHub. Would appreciate feedback from anyone dealing with
similar connectivity challenges.
42 comments
[ 3.2 ms ] story [ 85.8 ms ] threadOr anything else without reviewing it.
lol @ the issue in the repo: "module declares its path as: github.com/yourusername/ts-ssh"
- 0.1.0 -> breaking changes
- 1.0.0 -> overhaul/refactor needed
I know not every case is easy but this is my rule of thumb. I've honestly never needed a major version change
- x.y.Z (patch) -> backward compatible bug fixes
- x.Y.z (minor) -> backward compatible new features
- X.y.z (major) -> breaking changes
But of course it's fine to use whatever versioning scheme you like, as long as you communicate it to your consumers.
https://semver.org/
Edit: updated the version strings for clarity.
0.1.0 - I rearchitected the bug
1.0.0 - The bug is integral to the codebase.
I want to ssh into a windows box that I only have a normal user account on. So I can’t (and don’t want to) change any admin settings or install anything as admin.
All the obvious approaches hit roadblocks.
Seems like this tool solves the opposite problem: sshing out from a minimally privledged environment.
Totally serious question: would you feel better about this piece of software, if you didn't know that it was vibe coded?
Do we need "build without AI" stickers on every piece of software created these days?
That said coderabbit's pretty damn impressive for just generally reviewing PR's and catching shit for human review.
This of course not considering the quality or anything else.
Yes, I think projects that are coded wholly or in part by LLMs should be noted as such.
I.e. just because it's human doesn't mean it's any more secure.
As in, I cannot simply sign up with my own personal identifiers (email, phone, etc.) but need to participate in a google auth or FB auth mechanism ?
I found it hard to believe - is this, indeed, the case ?
Google, Microsoft, Github, Apple or your own OIDC Provider.
They do not have their own account backend.
So you dont technically need a FAANG account if you have a Gitea, Gitlab, Authentik Account or something like that.
[1]: https://tailscale.com/kb/1240/sso-custom-oidc
[2]: https://tailscale.com/blog/sso-tax-cut
It's a weird process and not particularly user friendly (passkey accounts are tied to a specific passkey and can't have additional ones added, so you need to create a new account if you, say, migrate from one hardware key to another). Hopefully they improve the process before passkey support goes out of beta.
[0] https://tailscale.com/kb/1269/passkeys
Though I suppose there is the potential problem of identitiy collision due to public key resuse unless the keys were generated serverside to guarantee uniqueness.
Anytime I've submitted with both url + body the body is posted as a comment.