Add SSH Access for a User¶

This guide covers granting SSH access to Astradial infrastructure. There are multiple paths depending on which server the user needs and how they will connect.

Cloud Server Access¶

The cloud server (89.116.31.109) is directly reachable over the internet.

1. Create the user account¶

ssh root@89.116.31.109

# Create user with home directory
sudo adduser newuser

# Set a temporary password (they should change it on first login)
sudo passwd newuser

2. Add their SSH public key¶

sudo mkdir -p /home/newuser/.ssh
sudo nano /home/newuser/.ssh/authorized_keys
# Paste their public key (id_rsa.pub / id_ed25519.pub)

sudo chmod 700 /home/newuser/.ssh
sudo chmod 600 /home/newuser/.ssh/authorized_keys
sudo chown -R newuser:newuser /home/newuser/.ssh

3. Grant sudo if needed¶

sudo usermod -aG sudo newuser

4. Share connection details¶

Provide the user with:

NUC Access -- Local Network¶

If the user is on the same local network (office / same Wi-Fi):

SSH Host: 192.168.0.13
Port: 22
Username: (their account)
Password: (provide directly, not over email)

Create their account on the NUC the same way as the cloud server. They connect with:

ssh newuser@192.168.0.13

NUC Access -- Cloudflare Tunnel¶

For remote access to the NUC without exposing it to the public internet, use the Cloudflare Tunnel.

Prerequisites for the user¶

1. Install cloudflared on their machine:

   # macOS
   brew install cloudflare/cloudflare/cloudflared
   
   # Debian/Ubuntu
   curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
   sudo dpkg -i cloudflared.deb
   

2. Add the following to their ~/.ssh/config:

   Host nuc.astradial.com
       ProxyCommand cloudflared access ssh --hostname %h
       User newuser
   

3. They can then connect with:

   ssh nuc.astradial.com
   

Admin steps¶

You must add the user's email to the Cloudflare Access policy before they can connect via the tunnel. See Add User to Cloudflare Access below.

NUC Access -- Cloud Hop (Two-step SSH)¶

If the user already has cloud server access, they can reach the NUC through the WireGuard tunnel:

# Step 1: SSH to cloud
ssh newuser@89.116.31.109

# Step 2: From cloud, SSH to NUC via WireGuard
ssh nucuser@10.10.10.2

The user needs accounts on both servers for this method to work.

Host astradial-nuc
    HostName 10.10.10.2
    User nucuser
    ProxyJump newuser@89.116.31.109

Add User to Cloudflare Access¶

Cloudflare Access controls who can reach the NUC via SSH tunnel (nuc.astradial.com) and the internal wiki (wiki.astradial.com). Both are protected by the same Access policy. You must add a user's email before they can access either resource.

Steps¶

1. Log in to Cloudflare Zero Trust (Hari's account)
2. Navigate to Access controls → Policies in the left sidebar
3. Click the Allow policy to edit it
4. Under Add rules → Include, the selector should be set to Emails
5. Type the new user's email address in the Value field and press Enter
6. Click Save

The user will now be able to:

• Access wiki.astradial.com — they'll see a Cloudflare login page, enter their email, and receive a one-time code
• SSH to nuc.astradial.com — cloudflared will open a browser for email verification before connecting

Current authorized emails¶

Remove a user¶

1. Go to the same Allow policy
2. Click the × next to their email in the Value field
3. Click Save

Security Checklist¶

• [ ] Use SSH keys instead of password authentication whenever possible
• [ ] Disable password authentication in /etc/ssh/sshd_config when all users have keys set up:

  PasswordAuthentication no
  

• [ ] Remove the user account when the freelancer or contractor is done:

  sudo userdel -r departinguser
  

• [ ] Remove their key from any authorized_keys files on other servers
• [ ] If they had Cloudflare Access, remove their email from the Access policy
• [ ] If they had WireGuard access, revoke their peer config and regenerate keys if necessary
• [ ] Rotate any shared credentials or API tokens they had access to