diff --git a/hosts/common/programs/ssh.nix b/hosts/common/programs/ssh.nix
index f88f5faa7..8f157092f 100644
--- a/hosts/common/programs/ssh.nix
+++ b/hosts/common/programs/ssh.nix
@@ -7,6 +7,9 @@ in
     packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.openssh "ssh";
     sandbox.net = "all";
     sandbox.whitelistSsh = true;
+    # sandbox.autodetectCliPaths = "existingFile";  # to support `-o 'UserKnownHostsFile /path/...'`
+    sandbox.extraPaths = [ "/var/run/tailscale" ];  # `tailscale ssh` invokes ssh in a way that somehow calls _back_ into ts, not clear how.
+    sandbox.extraHomePaths = [ ".config/tailscale/ssh_known_hosts" ];
     suggestedPrograms = [ "ssh-agent" ];
   };