update ssh doc and links to cloud

docs.json

@@ -91,6 +91,7 @@
                                     "manage/access-control/rules",
                                     "manage/access-control/forwarded-headers",
                                     "manage/access-control/login-page",
+                                    "manage/ssh",
                                     "manage/geoblocking",
                                     "manage/asnblocking",
                                     "manage/access-control/mfa",

manage/access-control/approvals.mdx

@@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 
 
 <Note>
-	Only available in Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition).
+	Only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition).
 </Note>
 
 By default, any client configured with valid credentials can connect to an organization. To enhance security, you can enable device approvals, which require each new device to be manually approved by an administrator before it can connect.

manage/access-control/login-page.mdx

@@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 
 
 <Note>
-Custom auth pages are only available in Pangolin Cloud.
+Custom auth pages are only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup).
 </Note>
 
 Custom organization authentication pages let you serve the login page at your own domain instead of the default `app.pangolin.net`. This provides better user experience and brand consistency.

manage/clients/fingerprinting.mdx

@@ -33,7 +33,7 @@ The following device attributes are collected on each device when available:
 ## Available Posture Checks
 
 <Note>
-	Posture checks are only collected on Pangolin Cloud and self-hosted [Enterprise Edition](/self-host/enterprise-edition).
+	Posture checks are only collected on [Pangolin Cloud](https://app.pangolin.net/auth/signup) and self-hosted [Enterprise Edition](/self-host/enterprise-edition).
 </Note>
 
 Posture checks are also collected on each platform; this is device state that

manage/domains.mdx

@@ -32,7 +32,7 @@ More about self-hosted DNS and networking can be found in the [DNS & Networking
 
 ### Domain Delegation (NS Records)
 
-<Note>Cloud & [Enterprise Edition](/self-host/enterprise-edition) Only</Note>
+<Note>[Pangolin Cloud](https://app.pangolin.net/auth/signup) & [Enterprise Edition](/self-host/enterprise-edition) Only</Note>
 
 Gives Pangolin full DNS control over your domain.
 
@@ -44,7 +44,7 @@ Domain delegation is ideal when you want Pangolin to manage your entire domain a
 
 ### Single Domain (CNAME Records)
 
-<Note>Cloud & [Enterprise Edition](/self-host/enterprise-edition) Only</Note>
+<Note>[Pangolin Cloud](https://app.pangolin.net/auth/signup) & [Enterprise Edition](/self-host/enterprise-edition) Only</Note>
 
 Single domain is limited to the exact domain you specify.
 

manage/identity-providers/add-an-idp.mdx

@@ -39,7 +39,7 @@ Here is an example using Microsoft Azure Entra ID as SSO for Pangolin:
 Organization identity providers are configured per organization and only apply to that specific organization. Each org can have its own identity providers, allowing for authentication methods based on the organization's needs.
 
 <Note>
-	Available in Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition). For [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in the [private config file](/self-host/advanced/private-config-file#param-identity-provider-mode) `privateConfig.yml`.
+	Available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition). For [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in the [private config file](/self-host/advanced/private-config-file#param-identity-provider-mode) `privateConfig.yml`.
 </Note>
 
 ### Global Identity Providers
@@ -64,7 +64,7 @@ This can be used to connect to any external identity provider that supports the
 ### Google
 
 <Note>
-Google IdP is only available in Pangolin Cloud or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable.
+Google IdP is only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable.
 </Note>
 
 Easily set up Google Workspace authentication for your organization. Users can sign in with their Google accounts and access Pangolin resources using their existing Google credentials. Perfect for organizations already using Google Workspace for email, calendar, and other services.
@@ -72,7 +72,7 @@ Easily set up Google Workspace authentication for your organization. Users can s
 ### Azure Entra ID
 
 <Note>
-Azure Entra ID IdP is only available in Pangolin Cloud or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable.
+Azure Entra ID IdP is only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) or self-hosted [Enterprise Edition](/self-host/enterprise-edition) with organization identity providers. See above to enable.
 </Note>
 
 Integrate with Microsoft's enterprise identity platform to allow users to authenticate using their Azure Active Directory accounts. Ideal for organizations using Microsoft 365 or other Azure services, providing seamless single sign-on across your Microsoft ecosystem.

manage/identity-providers/azure.mdx

@@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 
 
 <Note>
-Azure SSO is only available on Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file) `privateConfig.yml`.
+Azure SSO is only available on [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file) `privateConfig.yml`.
 </Note>
 
 The following steps will integrate Microsoft SSO using the built in Azure Entra ID identity provider in Pangolin.

manage/identity-providers/google.mdx

@@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 
 
 <Note>
-Google SSO is only available on Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`.
+Google SSO is only available on [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`.
 </Note>
 
 The following steps will integrate Google SSO using the built in Google identity provider in Pangolin.

manage/remote-node/understanding-nodes.mdx

@@ -10,7 +10,7 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 
 
 <Note>
-	Remote Nodes are available in Pangolin Cloud and self-hosted [Enterprise Edition](/self-host/enterprise-edition).
+	Remote Nodes are available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and self-hosted [Enterprise Edition](/self-host/enterprise-edition).
 </Note>
 
 Remote nodes, you run your own Pangolin node - your tunnels, SSL termination, and traffic all stay on your server and use your bandwidth. The difference is that management and monitoring are handled through our cloud or your central self-hosted [Enterprise Edition](/self-host/enterprise-edition) server. The node just handles terminating Wireguard tunnels, serving HTTP(S) traffic, and routing relayed client connections - it is essentially a remote networking hub.

manage/ssh.mdx

@@ -7,14 +7,24 @@ import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
 
 <PangolinCloudTocCta />
 
+<Note>
+Only available in [Pangolin Cloud](https://app.pangolin.net/auth/signup) and [Enterprise Edition](/self-host/enterprise-edition).
+</Note>
+
 ## Overview
 
 Pangolin includes a built-in SSH client so you can connect to remote servers and manage them directly from the terminal. You use your existing Pangolin identity—no separate SSH keys to create or copy. Pangolin generates and signs temporary access keys, pushes them to the remote server, and creates or updates your user account there. All of this happens automatically when you start a connection.
 
 You can SSH into any Pangolin site or private resource. Two components handle SSH on the server side:
 
-- **Newt (site connector)** — Runs as a daemon and handles SSH for the host it runs on.
+<CardGroup cols={2}>
-- **Auth daemon** — Handles SSH for other servers on the same network. It can run inside Newt or as a separate process on another machine (for example, a bastion Newt plus auth daemons on other hosts).
+  <Card title="Newt (site connector)" icon="plug" href="#option-1-newt-as-the-auth-daemon-same-host">
+    Runs as a daemon and handles SSH for the host it runs on. Use this when the machine you want to SSH into is the same server running Newt.
+  </Card>
+  <Card title="Auth daemon" icon="server" href="#option-2-external-auth-daemon-ssh-on-another-server-that-doesnt-run-newt">
+    Handles SSH for other servers on the same network. Run the auth daemon on each target host; Newt on a bastion proxies connections to them.
+  </Card>
+</CardGroup>
 
 You connect using the Pangolin CLI as the SSH client. The tunnel can be provided by the CLI or by another Pangolin client (e.g. the macOS app); you can run the GUI for the tunnel and use the CLI only for SSH if you prefer.
 
@@ -175,6 +185,8 @@ On every host that should accept Pangolin SSH (and is not running Newt), run the
 sudo pangolin auth-daemon --pre-shared-key <pre-shared-key>
 ```
 
+To use a non-default port, add `--port <port>` and set the same port in the resource’s SSH settings in the dashboard.
+
 #### Run as a systemd service
 
 Create a systemd unit so the auth daemon runs on boot:
@@ -193,7 +205,7 @@ User=root
 WantedBy=multi-user.target
 ```
 
-Replace `<pre-shared-key>` with the same value used on Newt. Then:
+Replace `<pre-shared-key>` with the same value used on Newt. If you use a custom port (set in the resource’s SSH settings), add `--port <port>` to `ExecStart`. Then:
 
 ```bash
 sudo systemctl daemon-reload
@@ -212,9 +224,13 @@ On each of these hosts, configure the SSH server as in [Configure the SSH server
 
 ### Step 4: Ensure network connectivity
 
-- **Newt → auth daemon:** Newt must be able to reach **TCP port 22123** on each server running the auth daemon (used for HTTPS between Newt and the auth daemon).
+- **Newt → auth daemon:** Newt must be able to reach the auth daemon port on each target server (default **TCP 22123**; configurable in the resource’s SSH settings and via the auth daemon’s `--port` flag).
 - **Clients → SSH:** Port **22** must be open for SSH to each target server (from wherever your users connect—often only within your private network).
 
+<Note>
+To change the auth daemon port from the default 22123, configure the port in the resource’s SSH settings in Pangolin and pass the same port with `--port` when starting the auth daemon.
+</Note>
+
 <Warning>
 These ports do not need to be exposed to the public internet. They only need to be reachable within the network where Newt and the target servers live.
 </Warning>
@@ -280,4 +296,6 @@ Pangolin derives the remote username from your Pangolin identity (the part befor
 
 ### How does Newt communicate with the external auth daemon?
 
-Newt talks to the auth daemon over **HTTPS** on **TCP 22123**. When you SSH into a server that uses the external auth daemon, Newt calls the auth daemon on that host to create or update your user and resolve principals. Port 22123 only needs to be open between Newt and the auth daemon hosts on your internal network; it should not be exposed to the internet.
+Newt talks to the auth daemon over **HTTPS**. **TCP 22123** is used by default. When you SSH into a server that uses the external auth daemon, Newt calls the auth daemon on that host to create or update your user and resolve principals. Port 22123 only needs to be open between Newt and the auth daemon hosts on your internal network; it should not be exposed to the internet.
+
+To use a different port, set the port in the resource’s SSH settings in the Pangolin dashboard and pass the same port to the auth daemon with the `--port` flag (e.g. `pangolin auth-daemon --pre-shared-key <key> --port 22124`). Newt and the auth daemon must use the same port.