cmd/tailscale/cli: flesh out "tailscale ssh" CLI docs

Per user feedback.

Fixes #5877

Change-Id: Ib70ad57ec2507244fc54745f4e43c0ce13f51e9c
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

cmd/tailscale/cli/ssh.go

@@ -28,7 +28,23 @@ var sshCmd = &ffcli.Command{
 	Name:       "ssh",
 	ShortUsage: "ssh [user@]<host> [args...]",
 	ShortHelp:  "SSH to a Tailscale machine",
-	Exec:       runSSH,
+	LongHelp: strings.TrimSpace(`
+
+The 'tailscale ssh' command is an optional wrapper around the system 'ssh'
+command that's useful in some cases. Tailscale SSH does not require its use;
+most users running the Tailscale SSH server will prefer to just use the normal
+'ssh' command or their normal SSH client.
+
+The 'tailscale ssh' wrapper adds a few things:
+
+* It resolves the destination server name in its arugments using MagicDNS,
+  even if --accept-dns=false.
+* It works in userspace-networking mode, by supplying a ProxyCommand to the
+  system 'ssh' command that connects via a pipe through tailscaled.
+* It automatically checks the destination server's SSH host key against the
+  node's SSH host key as advertised via the Tailscale coordination server.
+`),
+	Exec: runSSH,
 }
 
 func runSSH(ctx context.Context, args []string) error {