# SSH login process for CLI
## Introduction
The SSH Login to CLI feature allows authorized Vectra UI users to securely access the command-line interface (CLI) of Vectra devices using their UI username (that may will be modified by the system for use with SSH) and a short-lived SSH token. This feature provides controlled, auditable CLI access without requiring shared static credentials.
* Works the same way across all supported platforms and deployment modes:
* Physical, virtual, and cloud deployments.
* Brain, Sensor, and Stream devices.
* Connected, disconnected, and air-gapped environments.
* SSH login to the cli previously only supported a single `vectra` user.
* Tokens are time-limited, one time use (One Time Password or OTP) and expire automatically.
* The token expiration duration is configurable between 1 minute (default) and 2 hours.
## Availability
* UI users being able to login to the CLI via SSH is being introduced as a private preview feature starting in v9.8 of Vectra appliance code.
* If you are interested in joining the private preview, please reach out to your Vectra account team.
* Vectra authorized personnel must enable the feature in your deployment (this can be done remotely or via screen sharing for appliances that are not connected to the Vectra cloud.
* Customers cannot enable this feature on their own.
* The feature will be enabled by default after the private preview period.
* General Availability (GA) is targeted for v9.10.
* As long as your Vectra appliance is running v9.8 or higher, the new functionality is available in both RUX and QUX deployments.
## Roles and Permissions
* Access is controlled by the Access → **SSH Login to CLI** permission.
* By default, this permission is enabled for any user who has the **Super Admin** role.
* Additional roles may be granted this permission by editing role configuration and adding the **Access** → **SSH Login to CLI** permission..
* Users must have at least one **View** permission assigned to their role in addition to **SSH Login to CLI** to access the UI and generate a token.
* If the SSH Login to CLI permission is removed from a role, any active SSH sessions for affected users are immediately disconnected.
* Example **Manage Role** screen with the **SSH Login to CLI** permissions shown as available but not yet assigned to the Admin role below.
## User Experience Overview
* Authorized UI users can initiate SSH access using their personal SSH CLI credentials in **My Settings**.
* When connected, users are logged into the **vsupport** CLI environment with the same rights as the traditional `vectra` CLI user.
* This replaces the previous model where only the shared `vectra` user was supported.
* The traditional `vectra` user remains enabled by default for backward compatibility.
* This `vectra` user can be disabled if desired in [**CLI Access Controls**](#cli-access-controls) (link to instructions in this doc) in the **Brain Setup** portion of ***Configuration → COVERAGE → Data Sources → Network***.
### Retrieving SSH Username and Token
Navigate to **My Settings** and click **View Token**:
Ensure you use your **SSH Username** and **Copy** your **SSH Token** :
{% hint style="info" %}
**Please Note:**
Older systems may still have **My Profile** in the left hand navigation. **My Settings** has replaced **My Profile** in more recent versions. If you do not have the top navigation bar, access My Profile in the left hand navigation to reach these same settings screens.
{% endhint %}
### Example login
```language-markup
user@source_machine:~$ ssh vectra_ssh_admin@192.168.54.150
(vectra_ssh_user1@192.168.54.150) One-time password (OATH) for `vectra_ssh_admin':
Welcome to Cognito 9.8.0-6-6, up 1 day, 3 hours, 49 minutes (5.4.0-146-generic)
Open source licensing information used in this product is available at https://www.vectra.ai/opensource
Last login: Tue Jan 13 23:54:47 2026 from 192.168.52.185
Welcome to the Vectra Support CLI!
Model: VHE
Mode: brain
Update version: 9.8.0-6-6
Colossus version: 6:123438-geda6acd91f
UI version: 9.8.0-15-g1c52b9dbdb4
Cloud bridge: False
User: vectra_ssh_user1
Local time: 2026-01-14 00:37:16.769769
Use 'show commands' to get a list of available commands
Use 'help' command or ' --help' to get help
```
## Additional Technical Details
### SSH Username Format
* SSH usernames are automatically derived from the Vectra UI username.
* The format is:
* `vectra_ssh_`
* This derived username is displayed in **My Profile** and should always be copied from there.
* Some UI usernames may not be valid usernames and will be normalized by the system automatically; copying from My Profile ensures correctness.
* Username normalization rules:
* Usernames are prefixed with `vectra_ssh_`
* For email-style usernames, the `@` symbol and everything after it are removed.
* Usernames will be normalized to:
* Be 25 characters or fewer (not counting the `vectra_ssh_ prefix` that is added)
* Contain only `[a-zA-Z0-9_-.]`
* Not begin with a hyphen `-`
* If a naming conflict occurs, an incremental suffix is added (for example: `vectra_ssh_joe_2`)
* The same derived username is used consistently in system logs.
### CLI Access Controls
After navigating to *Configuration → Data Sources → Network → Brain Setup → CLI Access Controls*, administrators with proper privileges can:
* Change the password for the legacy `vectra` user
* Disable SSH access for the legacy `vectra` user.
* Configure the SSH token expiration time (between 1 minute to 2 hours).
***
## Legacy `vectra` User SSH Login Details.
* Vectra allows SSH access to Vectra Support CLI or vscli for short.
* In versions prior to v9.8, Vectra does not allow SSH CLI access with unique usernames and only supports the `vectra` user.
* An example connection string: `ssh vectra@127.0.0.1`
#### Accessing the CLI of public cloud (AWS, Azure, GCP) deployed appliances:
* Authentication for the `vectra` user is done using an SSH key pair that was used for your appliance deployment.
* The public key is stored on the appliance and you use your private key to authenticate the `vectra` user.
* Please see the deployment guide for your cloud appliance for specific details.
* The default passwords if the passwords have not been modified is available in the following knowledge base article: [Default username and passwords for Vectra appliances.](/deployment/getting-started/default-usernames-and-passwords.md)
* The brain password can and should be changed in the Vectra GUI via the steps available in the following knowledge base article: [Steps needed to change the brain CLI password.](https://support.vectra.ai/s/article/KB-VS-1240)
* The sensors passwords can and should be changed in the Vectra GUI via the steps available in the following knowledge base article: [Steps needed to change the sensor CLI password.](https://support.vectra.ai/s/article/KB-VS-1225)
## Example VSCLI commands:
The best starting point is `help` or `show commands` and ` --help` . The command list may change depending on the version and appliance mode (Brain/ Mixed / Sensor /Stream). The command to see the mode is : `show mode`.\
Here is an example of how I searching for the command to see version and showing it:
* `help`
* `show --help`
* `show version`
### Demo:
```ckeditor_codeblock
vscli > help
Documented commands (type help ):
========================================
artifact-validation del performance-test restore status-report
backup dirsync privexec set token
certificate factory-restore provision show unset
debug match reboot shutdown
Undocumented commands:
======================
exit help quit
vscli > show --help
Usage: show
Show commands group
Options:
-h, --help Show this message and exit.
Commands:
autopair Get the current device autopairing modes
aws AWS Group
azure Azure Show Group
capture-networks
capture-vlans
commands Show commands available in vsupport
dirsync show dirsync feature flag
dns Shows DNS nameservers
gcp GCP Show Group
interface Shows interface(s) status
ipmi_interface Get the ipmi interface config
ipv6 Show IPv6 group
license Show license details
mode Shows system mode
model Show system model number
proxy
raid
registration-token Get registration token.
security-mode Shows security mode
sensors Show associated sensors
serial-number Shows product serial number
stream Stream Group
system-health Verify the health of the device by running system...
traffic-validation Show Enhanced Network Traffic Validation data
version Shows product version
vpn Shows VPN state
vscli > show version
Upgrading: False
Version: 8.3.0-22-36
vscli >
```
## Support and troubleshooting
* If there are questions or concerns, please login to your [support portal](https://support.vectra.ai/s/) account to generate a ticket.
* The following knowledge base article defines support portal requirements: [Support Portal Email Requirements](https://support.vectra.ai/vectra/article/KB-VS-1713).
* If the support portal is not an option, then please email , please include the serial number of the appliance or solution to allow for a more timely response to the inquiry.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.vectra.ai/deployment/appliance-operations/ssh-login-process-for-cli.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.