Skip to main content

Try free on Pangolin Cloud

Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
Only available in Pangolin Cloud and Enterprise Edition.
Private SSH resources let users connect to remote hosts from their terminal over the Pangolin tunnel. Unlike public SSH resources, private SSH is not browser-rendered.

How It Works

  1. The user connects with the Pangolin client (GUI or CLI).
  2. They run pangolin ssh <alias> where the alias matches the private resource.
  3. Pangolin checks the user’s identity from the active client connection and enforces private resource access rules (users, roles, machines).
  4. Depending on the SSH configuration, Pangolin generates a short-lived certificate and provisions the user on the host, or the user authenticates with existing host credentials.
  5. An SSH session opens through the tunnel.
The Pangolin client provides the tunnel; the CLI handles certificate generation, user provisioning, and the SSH session itself. No manual SSH key distribution is required when using automated provisioning.
pangolin ssh <resource-alias>
The tunnel can be provided by the CLI or by another Pangolin client (for example the macOS app). You can run the GUI for the tunnel and use the CLI only for SSH.

Destination and Access

Create a private resource with a destination (IP or FQDN) for the host you want to SSH into. Assign an alias so users have a friendly name to pass to pangolin ssh. Grant access to users or roles and ensure TCP 22 is allowed in port restrictions.
If TCP 22 is not allowed in the resource’s port restrictions, users will not be able to establish SSH sessions to that resource even when the rest of the setup is correct.

Site and Host Configuration

SSH private resources do not use discrete targets. Instead, you:
  1. Select which sites can route to the resource.
  2. Enter the backend host and port—unless you selected Pangolin SSH mode, which executes sessions on the site connector host and does not require a host or port.
Pangolin SSH mode requires root. Newt must run as root on the site connector host. Use sudo newt ... or run the Newt systemd service as root. See Install a site.
Pangolin routes through the site that is online and healthiest. See Multi-site Routing.

SSH Configuration

The SSH settings on a private resource use the same options as public SSH resources. Mode, authentication method, and auth daemon location are configured identically in the dashboard. See SSH Access for a full explanation of each option, setup instructions, and an example for every configuration combination.

How Private SSH Differs from Public SSH

Private SSHPublic SSH
AccessPangolin CLI: pangolin ssh <alias>Web browser at a public FQDN
Client requiredYes — user must be connected with the Pangolin clientNo
Auth layerIdentity from the active client connection; private resource access rulesPublic resource authentication — login page, SSO, access rules
Manual auth stepCredentials handled by the SSH client or certificate flowUsername/password or private key entered in a browser form after the public auth layer
HostnameAlias on the private resourcePublic FQDN on your Pangolin domain
Port restrictionsTCP 22 must be allowed in port restrictionsNot applicable