diff --git a/docs/faq.md b/docs/faq.md
index 50df4bd..03ba6b3 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -66,3 +66,25 @@ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.InternetS
 ```
 
 Note that this tweak persists across reboots, so normally you'll only need to do it once per new host.
+
+## Running login/clone/pull/push commands over SSH
+
+When invoking the Tart in an SSH session, you might get error like this:
+
+>Keychain returned unsuccessful status -25308
+
+...or this:
+
+>Keychain failed to update item: User interaction is not allowed.
+
+This is because Tart uses [Keychain](https://en.wikipedia.org/wiki/Keychain_(software)) to store and retrieve OCI registry credentials by default, but Keychain is only automatically/semi-automatically unlocked in GUI sessions.
+
+To unlock the Keychain in an SSH session, run the following command, which will ask for your user's password:
+
+```shell
+security unlock-keychain
+```
+
+This command also supports the `-p` command-line argument that allows you to supply the password and unlock non-interactively, which is great for scripts.
+
+If that doesn't work for you for some reason, you can pass the credentials via the environment variables, see [Registry Authorization](integrations/vm-management.md#registry-authorization) for more details on how to do that.