# SSH Client for Teleport, Cloudflare Access, AWS SSM, GCP IAP & Tailscale **Tempest** is a polished SSH client for **macOS, Windows, and Linux** that connects to your servers through every major zero-trust SSH platform: **Teleport**, **Cloudflare Access**, **AWS Systems Manager (SSM) Session Manager**, **GCP IAP TCP forwarding**, **Tailscale SSH**, **HashiCorp Vault SSH**, **HashiCorp Boundary**, and **step-ca**. You bring your enterprise SSH gateway — Tempest gives you the GUI, tabs, SFTP, port forwards, AI agent shortcuts, and a real terminal on top. If you found this page searching for *"Teleport macOS client"*, *"Cloudflare Access SSH GUI"*, *"AWS SSM SSH client"*, *"GCP IAP SSH client"*, or *"Tailscale SSH client for Mac"* — yes, Tempest works with all of them, and below is exactly how to set each one up. ### Why use a third-party SSH client for zero-trust platforms? Every zero-trust SSH platform ships its own CLI: `tsh ssh`, `cloudflared access ssh`, `aws ssm start-session`, `gcloud compute ssh`, `tailscale ssh`. They all *work* — but they're terminal-only, with no tabs, no SFTP browser, no port-forward UI, no per-host themes, no session history, no jump-host chaining UX, no built-in AI agent shortcuts. Tempest is a real desktop SSH client that integrates with each platform's auth flow (short-lived OpenSSH certificates, ProxyCommand tunneling, MFA prompts) without re-implementing your security policy. ### Quick start: Connect Via Presets 1. Open **Tempest** → click `+` to add a new connection 2. Click **Connect Via Presets** (top of the SSH form) 3. Pick your platform — Teleport, Cloudflare Access, AWS SSM, GCP IAP, or Tailscale 4. Fill in the wizard fields (proxy hostname, instance ID, cluster, etc.) — defaults pre-fill from the doc when applicable 5. Click **Apply** — Tempest scaffolds auth method, private key path, certificate path, and proxy command for you 6. Save and connect Each preset is a one-shot scaffold: after Apply you can edit any field freely. ### Teleport SSH client for macOS, Windows, Linux Tempest is a fully compatible **Teleport SSH client** that consumes the short-lived certificates issued by `tsh login`. No need to re-implement Teleport's SSO/WebAuthn flow — Tempest plugs in *after* you've authenticated with `tsh`. **Setup:** ```bash # One-time per work day (or however your cluster's cert TTL is configured) tsh login --proxy=proxy.example.com ``` In Tempest: 1. **Connect Via Presets → Teleport** 2. Wizard asks for: **Teleport proxy hostname**, **Teleport user**, **Cluster name** 3. The preset fills: * Auth: Private Key (path mode) * Private key: `~/.tsh/keys//` * Certificate: `~/.tsh/keys//-ssh/-cert.pub` * Proxy Command: `tsh proxy ssh -L %p:%h:0 @` 4. Set **Host** to the in-cluster server hostname **Per-session MFA (YubiKey, hardware key)**: Tempest forwards `tsh proxy ssh`'s stderr into the SSH terminal, so when Teleport prompts you to tap your security key, the prompt appears in your Tempest tab — no missed taps, no silent timeouts. **Cert rotation**: Tempest reads the cert from disk on every connect, so the next `tsh login` automatically refreshes credentials. ### Cloudflare Access SSH client Tempest works as a **Cloudflare Access SSH client** by tunneling through the official `cloudflared` daemon — your existing SSH key + Cloudflare Access policy handle authentication. **Setup:** ```bash # One-time per Access application cloudflared access login ssh.example.com ``` In Tempest: 1. **Connect Via Presets → Cloudflare Access** 2. Wizard asks for: **Cloudflare Access hostname** (the public hostname configured in your Access policy) 3. The preset fills: * Host: the hostname you entered * Proxy Command: `cloudflared access ssh --hostname=%h` 4. Configure your usual SSH auth (key, agent, password) ### AWS Systems Manager (SSM) SSH client Tempest is an **AWS SSM SSH client** — connect to private EC2 instances over SSM Session Manager with no public IP, no bastion, IAM-gated. Requires the AWS CLI + Session Manager Plugin installed locally and the SSM Agent running on the target instance. **Setup:** In Tempest: 1. **Connect Via Presets → AWS Systems Manager** 2. Wizard asks for: **EC2 instance ID** (e.g. `i-0123456789abcdef0`) 3. The preset fills: * Host: the instance ID (SSH host-key matching keys off it) * Proxy Command: `aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p` 4. Configure SSH auth as you normally would for the target instance (e.g., a private key uploaded via `EC2InstanceConnect` or a long-lived key on the AMI) ### GCP IAP TCP forwarding SSH client Tempest is a **GCP IAP SSH client** — connect to private Compute Engine instances through Identity-Aware Proxy with no external IP. Requires `gcloud` CLI installed locally and the user holding the *IAP-secured Tunnel User* role. **Setup:** In Tempest: 1. **Connect Via Presets → GCP IAP TCP forwarding** 2. Wizard asks for: **GCE instance name**, **Zone**, **Project ID** 3. The preset fills: * Host: the instance name * Proxy Command: `gcloud compute start-iap-tunnel %h %p --listen-on-stdin --zone= --project=` 4. Configure SSH auth (works seamlessly with **GCP OS Login** if your project has it enabled) ### Tailscale SSH client for Mac, Windows, Linux Tempest is a **Tailscale SSH client** — when `tailscaled` is running locally, Tempest connects directly to your tailnet hostnames (`*.ts.net`) or `100.x.y.z` IPs with no extra proxy needed. **Setup:** In Tempest: 1. **Connect Via Presets → Tailscale** 2. Wizard asks for: **Tailnet hostname** (e.g. `my-server.tailnet-xxxx.ts.net`) 3. The preset fills the Host; no proxy command needed (tailscaled handles routing transparently) 4. Configure SSH auth (your normal SSH key, or — if you've enabled **Tailscale SSH** on the target — Tailscale's own short-lived certificates work via Tempest's OpenSSH cert support) ### Other compatible zero-trust SSH platforms | Platform | How Tempest connects | | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | **HashiCorp Vault SSH** (signed certs) | Same as Teleport — Private Key + Certificate fields point at the cert Vault issued | | **HashiCorp Boundary** | Proxy Command: `boundary connect ssh -target-id=` | | **step-ca** (Smallstep) | OpenSSH cert format works identically — point at the cert from `step ssh login` | | **OpenSSH bastion / ProxyJump** | Built-in **Jump Host** feature, with recursive chaining | | **Custom CA / SSO platform** | If it issues OpenSSH-format certs, Tempest's Certificate field accepts them; if it requires a tunnel, Proxy Command handles it | ### How Tempest's SSH cert support works Tempest stores either the **inline contents** of your private key + certificate (default) or **filesystem paths** to them (path mode). Path mode is the right choice for short-lived credentials like Teleport's 12h-default certs — Tempest reads the latest cert from disk on every connect, so `tsh login` rotation is invisible. Under the hood, Tempest attaches the certificate to your private key before authentication, so the SSH server sees a standard CA-signed cert auth — exactly what `tsh ssh`, `cloudflared`, etc. produce. ### FAQ **Is Tempest free?** Yes. The core SSH client is free; advanced features (jump host chaining, startup commands, custom proxies, monitoring, session multiplexing) require Tempest Pro. **Does Tempest work on macOS Apple Silicon?** Yes — native Apple Silicon (M1/M2/M3/M4) builds, plus Windows and Linux. Intel Macs are no longer supported. **Does Tempest work with Teleport's per-session MFA / YubiKey?** Yes. The MFA prompt that `tsh proxy ssh` writes to stderr is forwarded into the Tempest SSH terminal so you see "Tap your security key" in the tab. **Does Tempest store my SSH certificate?** In *path mode*, only the file path is stored — the cert is re-read from disk on every connect. In *inline mode* the cert content is stored in Tempest's local DB (use this only for long-lived certs). **Does Tempest run on iOS or Android?** The desktop client is the primary product. A mobile companion is on the roadmap. **Can I import my existing OpenSSH config / known\_hosts?** Tempest has an **Import Servers** button that reads your `~/.ssh/config` and creates a host per `Host` block. **How does Tempest compare to Termius / Royal TSX / SecureCRT?** The pitch is: those clients give you tabs and themes; Tempest gives you tabs and themes *and* native compatibility with the zero-trust SSH platform your company uses, with a one-click wizard for each. *** *Got a zero-trust SSH platform that should work with Tempest but doesn't? Open an issue on the project tracker — most platforms are reachable via the Certificate field + a Proxy Command, and we're happy to add an official preset.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.gotempest.app/connect-to-servers/ssh-client-for-teleport-cloudflare-access-aws-ssm-gcp-iap-and-tailscale.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.