# SSH access ### Managing ssh access {% hint style="info" %} `yarn environment:init` script automatically handles this configuration you, check [https://github.com/opencrvs/documentation/blob/master/v2.0.0/setup/3.-installation/3.3-set-up-a-server-hosted-environment/4.3.1-create-a-github-environment](https://github.com/opencrvs/documentation/blob/master/v2.0.0/setup/3.-installation/3.3-set-up-a-server-hosted-environment/4.3.1-create-a-github-environment "mention") {% endhint %} SSH Access is configured at inventory file (`infrastructure/server-setup/inventory/.yml`) Configuration file has special section `users`, following options are available: * name: OS login user name * ssh\_keys: List of public ssh keys for user, all keys are added to `~/.ssh/authorized_keys` * state: Enable or disable remote access for the user. Allowed values are: * `present`: user is allowed to login * `absent`: user account is disabled * role: * `operator`: grant read only access to OS and full access to kubernetes cluster * `admin`: grant full access to OS and kubernetes cluster Here is example of configuration file for user `bob`: ```yaml # users: Add as many users as you wish users: # Configuration example - name: bob ssh_keys: - "ssh-ed25519 AAA...Q bob@opencrvs.org" - "ssh-ed25519 AAA...Q bob@aol.com" state: present # Allowed states: # - present: user is allowed to login # - absent: user account is disabled role: admin # Allowed roles: # - operator: grant read only access to OS and full access to kubernetes cluster # - admin: grant full access to OS and kubernetes cluster ``` ### 2FA SSH Access Now that your servers are provisioned you can SSH in using either the IP address or the domain, plus your username as it is configured in inventory files. The first time you do so you will be required to set up 2FA for your server administrators.
You must have the Google Authenticator app on your mobile phone. You can download this from the Google Play Store or Apple App Store. Scan the QR code to add the server as an option in Google Authenticator, then enter the 6-digit 2FA code that is generated to access the server. For all the initial set-up questions that are asked, accept defaults by typing "y"

QR Code for Google Authenticator

Accept defaults

You will also notice that root SSH access is now disabled as a security posture.
### Removing SSH Access for a user If a server administrator needs to be removed from having SSH access to a server, these are the steps you need to take: 1. In the inventory file for the server, find the user block for the user you wish to remove and set the value **state** to **absent**: \[TODO: fix screenshot]
``` state: absent ``` 2. Commit the updated inventory file to Git 3. Run the Provision action for the environment with just the "**users**" task selected. It is quicker and less intensive than selecting "all"

Running the users task updates all users on the server. If a user is marked as absent, they will be deactivated

4. Now the user will no longer have SSH access to the server 5. You can delete their block entirely from inventory files and commit the file to Git if you wish. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.opencrvs.org/v2.0/technical/guides/installation/advanced-topics/ssh-access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.