---
name: feedback_tailscale_ssh_reauth
description: "The recurring ~12h \"Tailscale SSH requires an additional check\" is the ACL check action, not key expiry; fix is admin-console ACL check→accept"
metadata: 
  node_type: memory
  type: reference
  originSessionId: f6b5d2b8-94fd-4193-ba95-68aa32076e95
---

The recurring **"Tailscale SSH requires an additional check / visit login.tailscale.com/a/..."** that breaks lab SSH (`ssh cameronsmith@100.74.71.38`) roughly every 12h is the tailnet **ACL `ssh` rule's `action: "check"`** (checkPeriod default 12h). It is NOT node key expiry — node keys last to ~2026-12-18.

**To make SSH re-auth infinite (Cameron asked 2026-06-24):** in the Tailscale admin console ACL editor (`login.tailscale.com/admin/acls/file`), change the `ssh` rule `"action": "check"` → `"action": "accept"` (or keep `check` with a long `"checkPeriod"` like `"168h"`). `accept` removes the periodic browser re-auth entirely for member→own-device SSH.

**Can't do it programmatically from the fleet:** no Tailscale API token exists in `agents_stuff`/`vault`/lab/env (checked 2026-06-24). To let an agent apply it via `PATCH /api/v2/tailnet/-/acl`, Cameron must first generate an API access token (admin console → Settings → Keys).

Tailnet = `tail2a8ee0.ts.net` (owner omid.smith.cameron@gmail.com). Members: omid-fleet (VPS 100.93.75.110), phe108-yuewang-01 (lab 100.74.71.38), camerons-macbook-pro, puget-232243-01. Related: [[feedback_code_lives_on_lab]].
