Scribbles for my memory

If you enabled Tailscale's built-in SSH server with tailscale up --ssh and then realized you'd rather just use OpenSSH with a real key (no periodic browser auth to Tailscale, fewer moving parts), the way you turn it off matters.

Use this:

sudo tailscale set --ssh=false

It flips that one flag and nothing else. tailscale status stops listing the SSH service, OpenSSH is untouched, your existing tailnet connection keeps running.

The trap is reaching for tailscale up --ssh=false. up is sticky — it reapplies your full login configuration — so it can prod you to re-authenticate in the browser, and any other flags you tweaked but forgot about get reset to defaults too. set is the surgical knob for toggling a single option without disturbing the rest.

Same shape applies to other booleans Tailscale exposes (--advertise-exit-node, --accept-routes, --shields-up): once the node is up and authenticated, prefer tailscale set --flag=... over re-running tailscale up.