SSH Policies & Re-Auth
SSH policies provide fine-grained control over who can SSH to which machines and under what conditions.
Check mode (re-authentication)
When an SSH policy requires check mode, the user must re-authenticate through a browser flow before the SSH session is established. Running tuntun ssh opens a browser window to the TunTun SSO confirmation page (/auth/ssh). Once confirmed, the session proceeds.
This is useful for sensitive machines where you want to ensure the user has recently verified their identity, even if they have a valid session.
Policy configuration
SSH policies are configured under Networks → Access → SSH Rules in the dashboard. Each rule can specify source tags or machines, destination tags or machines, whether recording is required, and whether check-mode re-auth is enforced.
