diff --git a/src/keys.rs b/src/keys.rs
index 59f47ff..ccd6cc6 100644
--- a/src/keys.rs
+++ b/src/keys.rs
@@ -7,6 +7,7 @@ pub enum Input {
     Down,
     Esc,
     Enter,
+    CtrlP,
     Other,
 }
 
@@ -18,6 +19,8 @@ impl From<&[u8]> for Input {
             [27, 91, 65] => Input::Up,
             [27, 91, 66] => Input::Down,
             [13] => Input::Enter,
+            // NOTE: Actual char is DLE, this happens to map to ctrl-p
+            [16] => Input::CtrlP,
             other => {
                 trace!("{other:?}");
                 Input::Other
diff --git a/src/ssh.rs b/src/ssh.rs
index 65b8b3c..7a5f150 100644
--- a/src/ssh.rs
+++ b/src/ssh.rs
@@ -122,6 +122,9 @@ impl Handler {
                     warn!("User not set");
                 }
             }
+            Input::CtrlP => {
+                self.set_access_selection(TunnelAccess::Protected).await;
+            }
             _ => {
                 return Ok(false);
             }
diff --git a/src/tunnel.rs b/src/tunnel.rs
index 923cee4..e5f3663 100644
--- a/src/tunnel.rs
+++ b/src/tunnel.rs
@@ -29,6 +29,7 @@ pub mod tui;
 #[derive(Debug, Clone)]
 pub enum TunnelAccess {
     Private(String),
+    Protected,
     Public,
 }
 
@@ -160,7 +161,7 @@ impl Service<Request<Incoming>> for Tunnels {
                 return Ok(resp);
             };
 
-            if let TunnelAccess::Private(owner) = tunnel.access.read().await.deref() {
+            if !matches!(tunnel.access.read().await.deref(), TunnelAccess::Public) {
                 let user = match s.forward_auth.check_auth(req.headers()).await {
                     Ok(AuthStatus::Authenticated(user)) => user,
                     Ok(AuthStatus::Unauthenticated(location)) => {
@@ -196,15 +197,17 @@ impl Service<Request<Incoming>> for Tunnels {
                     }
                 };
 
-                trace!("Tunnel owned by {owner} is getting accessed by {user:?}");
+                trace!("Tunnel is getting accessed by {user:?}");
 
-                if !user.is(owner) {
-                    let resp = response(
-                        StatusCode::FORBIDDEN,
-                        "You do not have permission to access this tunnel",
-                    );
+                if let TunnelAccess::Private(owner) = tunnel.access.read().await.deref() {
+                    if !user.is(owner) {
+                        let resp = response(
+                            StatusCode::FORBIDDEN,
+                            "You do not have permission to access this tunnel",
+                        );
 
-                    return Ok(resp);
+                        return Ok(resp);
+                    }
                 }
             }
 
diff --git a/src/tunnel/tui.rs b/src/tunnel/tui.rs
index c001c5e..602eb17 100644
--- a/src/tunnel/tui.rs
+++ b/src/tunnel/tui.rs
@@ -13,6 +13,7 @@ pub async fn to_row((address, tunnel): (&String, &Option<Tunnel>)) -> Vec<Span<'
     let (access, port) = if let Some(tunnel) = tunnel {
         let access = match tunnel.access.read().await.deref() {
             TunnelAccess::Private(owner) => owner.clone().yellow(),
+            TunnelAccess::Protected => "PROTECTED".blue(),
             TunnelAccess::Public => "PUBLIC".green(),
         };