Set up SSH and Tailscale on a GPU Container Job
Configure SSH and Tailscale inside a GPU Container Job for persistent, secure access over Tailscale.
Configure SSH and Tailscale inside a running GPU Container Job. You can then reach it securely from your local machine over the Tailscale network.
Prerequisites
You need the following before you start:
- A running GPU Container Job. See Create a GPU Container Job.
- Root access inside the container, with
sudo -sor a direct root shell. - Your local SSH public key (
~/.ssh/id_ed25519.pubon your laptop). - Tailscale admin access to approve the node, if your access control lists (ACLs) require it.
Steps
Access the GPU Container Job
Open a shell into the running container. See Access a GPU Container Job. Then become the root user, since the next steps run as root:
sudo -sInstall the required packages
Update the system, then install the base tools and the Tailscale client:
sudo apt update -y
sudo apt install -y sudo openssh-server nano
curl -fsSL https://tailscale.com/install.sh | sudo shConfigure SSH key-based login
Create the SSH directory:
mkdir -p /root/.ssh
chmod 700 /root/.sshAdd your local machine's public key to authorized_keys, then lock down the permissions:
nano /root/.ssh/authorized_keys # paste the contents of ~/.ssh/id_ed25519.pub, then save
chmod 600 /root/.ssh/authorized_keysHarden SSH
Allow key-only root login and disable password authentication:
sed -i \
-e 's/^#\?PermitRootLogin.*/PermitRootLogin yes/' \
-e 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' \
-e 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' \
-e 's/^#\?UsePAM.*/UsePAM no/' \
/etc/ssh/sshd_configConfirm the settings:
grep -E 'PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|UsePAM' /etc/ssh/sshd_configThe output should be the following:
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication no
UsePAM noRoot login is enabled because these containers are accessed as root over Tailscale with key-only authentication. Do not enable password authentication.
Start Tailscale and SSH
Create the runtime directories, start tailscaled in the background, then start sshd:
mkdir -p /var/run/sshd
mkdir -p /var/run/tailscale
nohup tailscaled \
--state=/tmp/tailscale.state \
--socket=/var/run/tailscale/tailscaled.sock \
> /var/log/tailscaled.log 2>&1 & disown
/usr/sbin/sshdConfirm both processes are running:
ps ax | grep -E 'tailscaled|sshd'Join Tailscale
Bring the node up with a unique hostname, and any tags your Tailscale ACLs require:
tailscale up --hostname=<hostname> --advertise-tags=tag:<your-tag>For example:
tailscale up --hostname=gpu-container-05 --advertise-tags=tag:gpu-containersIf the node is not authenticated yet, Tailscale prints a login URL. Open it and approve the device.
Verify
From inside the container, check the processes and the Tailscale status:
ps ax | grep -E 'tailscaled|sshd'
tailscale status
tailscale ip -4From your local machine, once the node appears in the Tailscale admin console, connect over SSH:
ssh root@gpu-container-05You connect without a password prompt, using key-based authentication only.
Help and troubleshooting
SSH fails with "Permission denied (publickey)"
Confirm the public key is in /root/.ssh/authorized_keys, with permissions 600 on the file and 700 on .ssh.
SSH connects but asks for a password
Re-run the SSH hardening sed command, then restart sshd.
tailscale up fails
Confirm tailscaled is running with ps ax | grep tailscaled, then check /var/log/tailscaled.log.
Node not visible in Tailscale
Run tailscale login, or approve the device in the admin console.
sshd won't start
Confirm /var/run/sshd exists, then check journalctl or /var/log/auth.log.
Restart SSH or Tailscale
Restart SSH after configuration changes:
pkill sshd
/usr/sbin/sshdRestart Tailscale:
pkill tailscaled
nohup tailscaled \
--state=/tmp/tailscale.state \
--socket=/var/run/tailscale/tailscaled.sock \
> /var/log/tailscaled.log 2>&1 & disown
tailscale up --hostname=<hostname> --advertise-tags=tag:<your-tag>