SSH Client for Teleport, Cloudflare Access, AWS SSM, GCP IAP & Tailscale
Tempest works with Teleport, Cloudflare Access, AWS SSM, GCP IAP, and Tailscale via OpenSSH cert auth and ProxyCommand wizards.
Tempest is a polished SSH client for macOS, Windows, and Linux that connects to your servers through every major zero-trust SSH platform: Teleport, Cloudflare Access, AWS Systems Manager (SSM) Session Manager, GCP IAP TCP forwarding, Tailscale SSH, HashiCorp Vault SSH, HashiCorp Boundary, and step-ca. You bring your enterprise SSH gateway — Tempest gives you the GUI, tabs, SFTP, port forwards, AI agent shortcuts, and a real terminal on top.
If you found this page searching for "Teleport macOS client", "Cloudflare Access SSH GUI", "AWS SSM SSH client", "GCP IAP SSH client", or "Tailscale SSH client for Mac" — yes, Tempest works with all of them, and below is exactly how to set each one up.
Why use a third-party SSH client for zero-trust platforms?
Every zero-trust SSH platform ships its own CLI: tsh ssh, cloudflared access ssh, aws ssm start-session, gcloud compute ssh, tailscale ssh. They all work — but they're terminal-only, with no tabs, no SFTP browser, no port-forward UI, no per-host themes, no session history, no jump-host chaining UX, no built-in AI agent shortcuts. Tempest is a real desktop SSH client that integrates with each platform's auth flow (short-lived OpenSSH certificates, ProxyCommand tunneling, MFA prompts) without re-implementing your security policy.
Quick start: Connect Via Presets
Open Tempest → click
+to add a new connectionClick Connect Via Presets (top of the SSH form)
Pick your platform — Teleport, Cloudflare Access, AWS SSM, GCP IAP, or Tailscale
Fill in the wizard fields (proxy hostname, instance ID, cluster, etc.) — defaults pre-fill from the doc when applicable
Click Apply — Tempest scaffolds auth method, private key path, certificate path, and proxy command for you
Save and connect
Each preset is a one-shot scaffold: after Apply you can edit any field freely.
Teleport SSH client for macOS, Windows, Linux
Tempest is a fully compatible Teleport SSH client that consumes the short-lived certificates issued by tsh login. No need to re-implement Teleport's SSO/WebAuthn flow — Tempest plugs in after you've authenticated with tsh.
Setup:
In Tempest:
Connect Via Presets → Teleport
Wizard asks for: Teleport proxy hostname, Teleport user, Cluster name
The preset fills:
Auth: Private Key (path mode)
Private key:
~/.tsh/keys/<proxy>/<user>Certificate:
~/.tsh/keys/<proxy>/<user>-ssh/<cluster>-cert.pubProxy Command:
tsh proxy ssh -L %p:%h:0 <user>@<proxy>
Set Host to the in-cluster server hostname
Per-session MFA (YubiKey, hardware key): Tempest forwards tsh proxy ssh's stderr into the SSH terminal, so when Teleport prompts you to tap your security key, the prompt appears in your Tempest tab — no missed taps, no silent timeouts.
Cert rotation: Tempest reads the cert from disk on every connect, so the next tsh login automatically refreshes credentials.
Cloudflare Access SSH client
Tempest works as a Cloudflare Access SSH client by tunneling through the official cloudflared daemon — your existing SSH key + Cloudflare Access policy handle authentication.
Setup:
In Tempest:
Connect Via Presets → Cloudflare Access
Wizard asks for: Cloudflare Access hostname (the public hostname configured in your Access policy)
The preset fills:
Host: the hostname you entered
Proxy Command:
cloudflared access ssh --hostname=%h
Configure your usual SSH auth (key, agent, password)
AWS Systems Manager (SSM) SSH client
Tempest is an AWS SSM SSH client — connect to private EC2 instances over SSM Session Manager with no public IP, no bastion, IAM-gated. Requires the AWS CLI + Session Manager Plugin installed locally and the SSM Agent running on the target instance.
Setup:
In Tempest:
Connect Via Presets → AWS Systems Manager
Wizard asks for: EC2 instance ID (e.g.
i-0123456789abcdef0)The preset fills:
Host: the instance ID (SSH host-key matching keys off it)
Proxy Command:
aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p
Configure SSH auth as you normally would for the target instance (e.g., a private key uploaded via
EC2InstanceConnector a long-lived key on the AMI)
GCP IAP TCP forwarding SSH client
Tempest is a GCP IAP SSH client — connect to private Compute Engine instances through Identity-Aware Proxy with no external IP. Requires gcloud CLI installed locally and the user holding the IAP-secured Tunnel User role.
Setup:
In Tempest:
Connect Via Presets → GCP IAP TCP forwarding
Wizard asks for: GCE instance name, Zone, Project ID
The preset fills:
Host: the instance name
Proxy Command:
gcloud compute start-iap-tunnel %h %p --listen-on-stdin --zone=<zone> --project=<project>
Configure SSH auth (works seamlessly with GCP OS Login if your project has it enabled)
Tailscale SSH client for Mac, Windows, Linux
Tempest is a Tailscale SSH client — when tailscaled is running locally, Tempest connects directly to your tailnet hostnames (*.ts.net) or 100.x.y.z IPs with no extra proxy needed.
Setup:
In Tempest:
Connect Via Presets → Tailscale
Wizard asks for: Tailnet hostname (e.g.
my-server.tailnet-xxxx.ts.net)The preset fills the Host; no proxy command needed (tailscaled handles routing transparently)
Configure SSH auth (your normal SSH key, or — if you've enabled Tailscale SSH on the target — Tailscale's own short-lived certificates work via Tempest's OpenSSH cert support)
Other compatible zero-trust SSH platforms
HashiCorp Vault SSH (signed certs)
Same as Teleport — Private Key + Certificate fields point at the cert Vault issued
HashiCorp Boundary
Proxy Command: boundary connect ssh -target-id=<id>
step-ca (Smallstep)
OpenSSH cert format works identically — point at the cert from step ssh login
OpenSSH bastion / ProxyJump
Built-in Jump Host feature, with recursive chaining
Custom CA / SSO platform
If it issues OpenSSH-format certs, Tempest's Certificate field accepts them; if it requires a tunnel, Proxy Command handles it
How Tempest's SSH cert support works
Tempest stores either the inline contents of your private key + certificate (default) or filesystem paths to them (path mode). Path mode is the right choice for short-lived credentials like Teleport's 12h-default certs — Tempest reads the latest cert from disk on every connect, so tsh login rotation is invisible.
Under the hood, Tempest attaches the certificate to your private key before authentication, so the SSH server sees a standard CA-signed cert auth — exactly what tsh ssh, cloudflared, etc. produce.
FAQ
Is Tempest free? Yes. The core SSH client is free; advanced features (jump host chaining, startup commands, custom proxies, monitoring, session multiplexing) require Tempest Pro.
Does Tempest work on macOS Apple Silicon? Yes — native Apple Silicon (M1/M2/M3/M4) builds, plus Windows and Linux. Intel Macs are no longer supported.
Does Tempest work with Teleport's per-session MFA / YubiKey? Yes. The MFA prompt that tsh proxy ssh writes to stderr is forwarded into the Tempest SSH terminal so you see "Tap your security key" in the tab.
Does Tempest store my SSH certificate? In path mode, only the file path is stored — the cert is re-read from disk on every connect. In inline mode the cert content is stored in Tempest's local DB (use this only for long-lived certs).
Does Tempest run on iOS or Android? The desktop client is the primary product. A mobile companion is on the roadmap.
Can I import my existing OpenSSH config / known_hosts? Tempest has an Import Servers button that reads your ~/.ssh/config and creates a host per Host block.
How does Tempest compare to Termius / Royal TSX / SecureCRT? The pitch is: those clients give you tabs and themes; Tempest gives you tabs and themes and native compatibility with the zero-trust SSH platform your company uses, with a one-click wizard for each.
Got a zero-trust SSH platform that should work with Tempest but doesn't? Open an issue on the project tracker — most platforms are reachable via the Certificate field + a Proxy Command, and we're happy to add an official preset.
Last updated