SSH login process for CLI

This article discusses how users can access the Vectra Support Command Line Interface (vscli) on Vectra appliances.

Introduction

The SSH Login to CLI feature allows authorized Vectra UI users to securely access the command-line interface (CLI) of Vectra devices using their UI username (that may will be modified by the system for use with SSH) and a short-lived SSH token. This feature provides controlled, auditable CLI access without requiring shared static credentials.

Works the same way across all supported platforms and deployment modes:
- Physical, virtual, and cloud deployments.
- Brain, Sensor, and Stream devices.
- Connected, disconnected, and air-gapped environments.
SSH login to the cli previously only supported a single vectra user.
Tokens are time-limited, one time use (One Time Password or OTP) and expire automatically.
- The token expiration duration is configurable between 1 minute (default) and 2 hours.

Availability

UI users being able to login to the CLI via SSH is being introduced as a private preview feature starting in v9.8 of Vectra appliance code.
- If you are interested in joining the private preview, please reach out to your Vectra account team.
  - Vectra authorized personnel must enable the feature in your deployment (this can be done remotely or via screen sharing for appliances that are not connected to the Vectra cloud.
  - Customers cannot enable this feature on their own.
- The feature will be enabled by default after the private preview period.
- General Availability (GA) is targeted for v9.10.
As long as your Vectra appliance is running v9.8 or higher, the new functionality is available in both RUX and QUX deployments.

Roles and Permissions

Access is controlled by the Access → SSH Login to CLI permission.
- By default, this permission is enabled for any user who has the Super Admin role.
- Additional roles may be granted this permission by editing role configuration and adding the Access → SSH Login to CLI permission..
- Users must have at least one View permission assigned to their role in addition to SSH Login to CLI to access the UI and generate a token.
If the SSH Login to CLI permission is removed from a role, any active SSH sessions for affected users are immediately disconnected.
Example Manage Role screen with the SSH Login to CLI permissions shown as available but not yet assigned to the Admin role below.

User Experience Overview

Authorized UI users can initiate SSH access using their personal SSH CLI credentials in My Profile.
When connected, users are logged into the vsupport CLI environment with the same rights as the traditional vectra CLI user.
This replaces the previous model where only the shared vectra user was supported.
The traditional vectra user remains enabled by default for backward compatibility.
- This vectra user can be disabled if desired in CLI Access Controls (link to instructions in this doc) in the Brain Setup portion of Configuration → Data Sources → Network.

Retrieving SSH Username and Token

Navigate to My Profile and click View Token:

Ensure you use your SSH Username and copy your SSH Token :

user@source_machine:~$ ssh [email protected]
([email protected]) One-time password (OATH) for `vectra_ssh_admin':
Welcome to Cognito 9.8.0-6-6, up 1 day, 3 hours, 49 minutes (5.4.0-146-generic)
Open source licensing information used in this product is available at https://www.vectra.ai/opensource
Last login: Tue Jan 13 23:54:47 2026 from 192.168.52.185
Welcome to the Vectra Support CLI!
  Model:            VHE
  Mode:             brain
  Update version:   9.8.0-6-6
  Colossus version: 6:123438-geda6acd91f
  UI version:       9.8.0-15-g1c52b9dbdb4
  Cloud bridge:     False
  User:             vectra_ssh_user1
  Local time:       2026-01-14 00:37:16.769769
  Use 'show commands' to get a list of available commands
  Use 'help' command or '<command> --help' to get help

Additional Technical Details

SSH Username Format

SSH usernames are automatically derived from the Vectra UI username.
The format is:
- vectra_ssh_<username>
This derived username is displayed in My Profile and should always be copied from there.
- Some UI usernames may not be valid usernames and will be normalized by the system automatically; copying from My Profile ensures correctness.
Username normalization rules:
- Usernames are prefixed with vectra_ssh_
- For email-style usernames, the @ symbol and everything after it are removed.
- Usernames will be normalized to:
  - Be 25 characters or fewer (not counting the vectra_ssh_ prefix that is added)
  - Contain only [a-zA-Z0-9_-.]
  - Not begin with a hyphen -
  - If a naming conflict occurs, an incremental suffix is added (for example: vectra_ssh_joe_2)
The same derived username is used consistently in system logs.

CLI Access Controls

After navigating to Configuration → Data Sources → Network → Brain Setup → CLI Access Controls, administrators with proper privileges can:

Change the password for the legacy vectra user
Disable SSH access for the legacy vectra user.
Configure the SSH token expiration time (between 1 minute to 2 hours).

Vectra allows SSH access to Vectra Support CLI or vscli for short.
In versions prior to v9.8, Vectra does not allow SSH CLI access with unique usernames and only supports the vectra user.
- An example connection string: ssh [email protected]

Accessing the CLI of public cloud (AWS, Azure, GCP) deployed appliances:

Authentication for the vectra user is done using an SSH key pair that was used for your appliance deployment.
- The public key is stored on the appliance and you use your private key to authenticate the vectra user.
Please see the deployment guide for your cloud appliance for specific details.
The default passwords if the passwords have not been modified is available in the following knowledge base article: Default username and passwords for Vectra appliances.
The brain password can and should be changed in the Vectra GUI via the steps available in the following knowledge base article: Steps needed to change the brain CLI password.
The sensors passwords can and should be changed in the Vectra GUI via the steps available in the following knowledge base article: Steps needed to change the sensor CLI password.

Example VSCLI commands:

The best starting point is help or show commands and <command> --help . The command list may change depending on the version and appliance mode (Brain/ Mixed / Sensor /Stream). The command to see the mode is : show mode. Here is an example of how I searching for the command to see version and showing it:

help
show --help
show version

Demo:

vscli > help

Documented commands (type help <topic>):
========================================
artifact-validation  del              performance-test  restore   status-report
backup               dirsync          privexec          set       token
certificate          factory-restore  provision         show      unset
debug                match            reboot            shutdown

Undocumented commands:
======================
exit  help  quit

vscli > show --help
Usage:  show

  Show commands group

Options:
  -h, --help  Show this message and exit.

Commands:
  autopair            Get the current device autopairing modes
  aws                 AWS Group
  azure               Azure Show Group
  capture-networks
  capture-vlans
  commands            Show commands available in vsupport
  dirsync             show dirsync feature flag
  dns                 Shows DNS nameservers
  gcp                 GCP Show Group
  interface           Shows interface(s) status
  ipmi_interface      Get the ipmi interface config
  ipv6                Show IPv6 group
  license             Show license details
  mode                Shows system mode
  model               Show system model number
  proxy
  raid
  registration-token  Get registration token.
  security-mode       Shows security mode
  sensors             Show associated sensors
  serial-number       Shows product serial number
  stream              Stream Group
  system-health       Verify the health of the device by running system...
  traffic-validation  Show Enhanced Network Traffic Validation data
  version             Shows product version
  vpn                 Shows VPN state
vscli > show version
Upgrading: False
Version: 8.3.0-22-36
vscli >

Support and troubleshooting

If there are questions or concerns, please login to your support portal account to generate a ticket.
The following knowledge base article defines support portal requirements: Support Portal Email Requirements.
If the support portal is not an option, then please email [email protected], please include the serial number of the appliance or solution to allow for a more timely response to the inquiry.

PreviousUnpairing Sensor from Brain NextConsole access on appliances

Last updated 2 days ago

Was this helpful?

Good evening

hashtagIntroduction

hashtagAvailability

hashtagRoles and Permissions

hashtagUser Experience Overview

hashtagRetrieving SSH Username and Token

hashtagExample login

hashtagAdditional Technical Details

hashtagSSH Username Format

hashtagCLI Access Controls

hashtagLegacy vectra User SSH Login Details.

hashtagAccessing the CLI of public cloud (AWS, Azure, GCP) deployed appliances:

hashtagExample VSCLI commands:

hashtagDemo:

hashtagSupport and troubleshooting