Hmm. If the problem is that Tailscale SSH doesn’t strongly associate the person authenticating with the connection being authenticated, asking the person to reauthenticate seems like a pretty weak solution.
Unless I'm misunderstanding something, the check solution creates that strong association. Logging in gives you a link you have to go to and auth, authing let's your session connect. Disconnect, and you have to do this again.
No check mode reuses the auth of the tailscale client, check mode authenticates the ssh connection itself
And then that tailscale client is authorized to log in over ssh for however long the check lasts, and anyone else who can initiate a TCP session over the link can also get in.
No check mode reuses the auth of the tailscale client, check mode authenticates the ssh connection itself