Tip: How to fix "Tailscale SSH enabled, but access controls don't allow anyone to access this device"

Hi Tailscale community,

I want to share a tip for easily resolving an issue that has cost me a couple of hours to find out. (Studying the manual, modifying the ACLs, restarting tailscale demons, getting the same error over and over again…)


  • You have enabled Tailscale SSH
  • You have set up your ACL to allow your Tailscale account to SSH to some tagged device
  • Now you run tailscale up --ssh on the device


  • You get this message back: “Tailscale SSH enabled, but access controls don’t allow anyone to access this device”
  • And when you try to ssh to the device, you get the message, “Permission denied (tailscale).”
  • You have double- and triple-checked your ACL but everything seems fine.


On your local machine, log out from the Tailscale service and back in.

This worked for me (macOS Monterey, Tailscale app v1.26.2, Tailscale version on devices: v1.28.0).

Not much to go on here to help. Want to write in to support@ with your account details and we can look at your ACLs?

Hi @bradfitz,

The ACLs are correct. The problem is the macOS Tailscale client (menubar/UI version) that kept ignoring the changes I made to the ACLs until I logged out of the client and back in.

Did you recently change tags on any of the machines? Or do you remember what was the last action you took on the tailnet before you did the relogin?

I added SSH config to the ACLs. I did not change anything else at first, but when I kept seeing the message, I tried a few other settings, with no effect. Only when I logged out and back in, the problem went away.

No tags were added, changed, or removed.

Also worth pointing out: Between logging out and logging back in, I did not change anything in the ACLs. They were valid and working after the re-login, and so they must have been valid before, too.

Looks like it’s an ACL bug in the SSH section. You probably did the same thing as me and made your destination a tag but used the tag:name:* wildcard which is accepted but isn’t being interpreted properly. If you make it just tag:name, it will begin to work. For my purposes, this is just fine, but it seems like it should allow the same syntax as the acl section.

Thanks for the suggestion, but I think the ACL config was not the problem. After re-logging into Tailscale, the ACL started working unchanged.

I finally gave up and disabled ssh.