Try free on Pangolin Cloud
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
Only available in Pangolin Cloud and Enterprise Edition.
How It Works
- The user connects with the Pangolin client (GUI or CLI).
- They run
pangolin ssh <alias>where the alias matches the private resource. - Pangolin checks the user’s identity from the active client connection and enforces private resource access rules (users, roles, machines).
- Depending on the SSH configuration, Pangolin generates a short-lived certificate and provisions the user on the host, or the user authenticates with existing host credentials.
- An SSH session opens through the tunnel.
Destination and Access
Create a private resource with a destination (IP or FQDN) for the host you want to SSH into. Assign an alias so users have a friendly name to pass topangolin ssh.
Grant access to users or roles and ensure TCP 22 is allowed in port restrictions.
Site and Host Configuration
SSH private resources do not use discrete targets. Instead, you:- Select which sites can route to the resource.
- Enter the backend host and port—unless you selected Pangolin SSH mode, which executes sessions on the site connector host and does not require a host or port.
SSH Configuration
The SSH settings on a private resource use the same options as public SSH resources. Mode, authentication method, and auth daemon location are configured identically in the dashboard. See SSH Access for a full explanation of each option, setup instructions, and an example for every configuration combination.How Private SSH Differs from Public SSH
| Private SSH | Public SSH | |
|---|---|---|
| Access | Pangolin CLI: pangolin ssh <alias> | Web browser at a public FQDN |
| Client required | Yes — user must be connected with the Pangolin client | No |
| Auth layer | Identity from the active client connection; private resource access rules | Public resource authentication — login page, SSO, access rules |
| Manual auth step | Credentials handled by the SSH client or certificate flow | Username/password or private key entered in a browser form after the public auth layer |
| Hostname | Alias on the private resource | Public FQDN on your Pangolin domain |
| Port restrictions | TCP 22 must be allowed in port restrictions | Not applicable |

