# SSH login process for CLI ## Introduction The SSH Login to CLI feature allows authorized Vectra UI users to securely access the command-line interface (CLI) of Vectra devices using their UI username (that may will be modified by the system for use with SSH) and a short-lived SSH token. This feature provides controlled, auditable CLI access without requiring shared static credentials. * Works the same way across all supported platforms and deployment modes: * Physical, virtual, and cloud deployments. * Brain, Sensor, and Stream devices. * Connected, disconnected, and air-gapped environments. * SSH login to the cli previously only supported a single `vectra` user. * Tokens are time-limited, one time use (One Time Password or OTP) and expire automatically. * The token expiration duration is configurable between 1 minute (default) and 2 hours. ## Availability * UI users being able to login to the CLI via SSH is being introduced as a private preview feature starting in v9.8 of Vectra appliance code. * If you are interested in joining the private preview, please reach out to your Vectra account team. * Vectra authorized personnel must enable the feature in your deployment (this can be done remotely or via screen sharing for appliances that are not connected to the Vectra cloud. * Customers cannot enable this feature on their own. * The feature will be enabled by default after the private preview period. * General Availability (GA) is targeted for v9.10. * As long as your Vectra appliance is running v9.8 or higher, the new functionality is available in both RUX and QUX deployments. ## Roles and Permissions * Access is controlled by the Access → **SSH Login to CLI** permission. * By default, this permission is enabled for any user who has the **Super Admin** role. * Additional roles may be granted this permission by editing role configuration and adding the **Access** → **SSH Login to CLI** permission.. * Users must have at least one **View** permission assigned to their role in addition to **SSH Login to CLI** to access the UI and generate a token. * If the SSH Login to CLI permission is removed from a role, any active SSH sessions for affected users are immediately disconnected. * Example **Manage Role** screen with the **SSH Login to CLI** permissions shown as available but not yet assigned to the Admin role below. ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-1ee15bd8e3f7d8cb78eb01debd78235574d2afd6%2F5f67aea31f948d8cb0ecaf82feb61014f26a353b7b8f09475e713e10854f5595.jpg?alt=media) ## User Experience Overview * Authorized UI users can initiate SSH access using their personal SSH CLI credentials in **My Profile**. * When connected, users are logged into the **vsupport** CLI environment with the same rights as the traditional vectra CLI user. * This replaces the previous model where only the shared `vectra` user was supported. * The traditional `vectra` user remains enabled by default for backward compatibility. * This `vectra` user can be disabled if desired in [**CLI Access Controls**](#cli-access-controls) (link to instructions in this doc) in the **Brain Setup** portion of ***Configuration → Data Sources → Network***. ### Retrieving SSH Username and Token Navigate to **My Profile** and click **View Token**: ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-a6f537de78eb30b1c4454c603981949b9d72b222%2F6144ccdd882ed32f9a9f674c8324928b079d494c8c65b91f9ea12ead446b5d04.jpg?alt=media) Ensure you use your **SSH Username** and copy your **SSH Token** : ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-2d25098e0d928c489a335d5591ee00febfb5dfd5%2F1c1fc38e3e6bedf13432b44f31d1ba42bd22648286de380fefdc4b563a9baae3.jpg?alt=media) ### Example login ```language-markup user@source_machine:~$ ssh vectra_ssh_admin@192.168.54.150 (vectra_ssh_user1@192.168.54.150) One-time password (OATH) for `vectra_ssh_admin': Welcome to Cognito 9.8.0-6-6, up 1 day, 3 hours, 49 minutes (5.4.0-146-generic) Open source licensing information used in this product is available at https://www.vectra.ai/opensource Last login: Tue Jan 13 23:54:47 2026 from 192.168.52.185 Welcome to the Vectra Support CLI! Model: VHE Mode: brain Update version: 9.8.0-6-6 Colossus version: 6:123438-geda6acd91f UI version: 9.8.0-15-g1c52b9dbdb4 Cloud bridge: False User: vectra_ssh_user1 Local time: 2026-01-14 00:37:16.769769 Use 'show commands' to get a list of available commands Use 'help' command or ' --help' to get help ``` ## Additional Technical Details ### SSH Username Format * SSH usernames are automatically derived from the Vectra UI username. * The format is: * `vectra_ssh_` * This derived username is displayed in **My Profile** and should always be copied from there. * Some UI usernames may not be valid usernames and will be normalized by the system automatically; copying from My Profile ensures correctness. * Username normalization rules: * Usernames are prefixed with `vectra_ssh_` * For email-style usernames, the `@` symbol and everything after it are removed. * Usernames will be normalized to: * Be 25 characters or fewer (not counting the `vectra_ssh_ prefix` that is added) * Contain only `[a-zA-Z0-9_-.]` * Not begin with a hyphen `-` * If a naming conflict occurs, an incremental suffix is added (for example: `vectra_ssh_joe_2`) * The same derived username is used consistently in system logs. ### CLI Access Controls After navigating to *Configuration → Data Sources → Network → Brain Setup → CLI Access Controls*, administrators with proper privileges can: * Change the password for the legacy `vectra` user * Disable SSH access for the legacy `vectra` user. * Configure the SSH token expiration time (between 1 minute to 2 hours). ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-e85f37411e6873a39d1061b01b80392869556fd1%2F7947601ca9f5bf74ef0460b90bd2db44238a1c1f50a37e6267832f3be2c27a91.jpg?alt=media) *** ## Legacy `vectra` User SSH Login Details. * Vectra allows SSH access to Vectra Support CLI or vscli for short. * In versions prior to v9.8, Vectra does not allow SSH CLI access with unique usernames and only supports the `vectra` user. * An example connection string: `ssh vectra@127.0.0.1` #### Accessing the CLI of public cloud (AWS, Azure, GCP) deployed appliances: * Authentication for the `vectra` user is done using an SSH key pair that was used for your appliance deployment. * The public key is stored on the appliance and you use your private key to authenticate the `vectra` user. * Please see the deployment guide for your cloud appliance for specific details. * The default passwords if the passwords have not been modified is available in the following knowledge base article: [Default username and passwords for Vectra appliances.](https://docs.vectra.ai/deployment/getting-started/default-usernames-and-passwords) * The brain password can and should be changed in the Vectra GUI via the steps available in the following knowledge base article: [Steps needed to change the brain CLI password.](https://support.vectra.ai/s/article/KB-VS-1240) * The sensors passwords can and should be changed in the Vectra GUI via the steps available in the following knowledge base article: [Steps needed to change the sensor CLI password.](https://support.vectra.ai/s/article/KB-VS-1225) ## Example VSCLI commands: The best starting point is `help` or `show commands` and ` --help` . The command list may change depending on the version and appliance mode (Brain/ Mixed / Sensor /Stream). The command to see the mode is : `show mode`.\ Here is an example of how I searching for the command to see version and showing it: * `help` * `show --help` * `show version` ### Demo: ```ckeditor_codeblock vscli > help Documented commands (type help ): ======================================== artifact-validation del performance-test restore status-report backup dirsync privexec set token certificate factory-restore provision show unset debug match reboot shutdown Undocumented commands: ====================== exit help quit vscli > show --help Usage: show Show commands group Options: -h, --help Show this message and exit. Commands: autopair Get the current device autopairing modes aws AWS Group azure Azure Show Group capture-networks capture-vlans commands Show commands available in vsupport dirsync show dirsync feature flag dns Shows DNS nameservers gcp GCP Show Group interface Shows interface(s) status ipmi_interface Get the ipmi interface config ipv6 Show IPv6 group license Show license details mode Shows system mode model Show system model number proxy raid registration-token Get registration token. security-mode Shows security mode sensors Show associated sensors serial-number Shows product serial number stream Stream Group system-health Verify the health of the device by running system... traffic-validation Show Enhanced Network Traffic Validation data version Shows product version vpn Shows VPN state vscli > show version Upgrading: False Version: 8.3.0-22-36 vscli > ``` ## Support and troubleshooting * If there are questions or concerns, please login to your [support portal](https://support.vectra.ai/s/) account to generate a ticket. * The following knowledge base article defines support portal requirements: [Support Portal Email Requirements](https://support.vectra.ai/vectra/article/KB-VS-1713). * If the support portal is not an option, then please email , please include the serial number of the appliance or solution to allow for a more timely response to the inquiry.