SSH to el02 via Cloudflare Access

This is the current and only supported way to SSH into el02 (Big Black). The previous ZeroTier-based approach was decommissioned in April 2026 and the daemon is uninstalled from every workstation. The 172.25.x.x virtual subnet no longer routes anywhere — if you find an old guide referencing it, ignore it.

How this works (in one paragraph)

You authenticate with GitHub SSO. Cloudflare Access verifies you’re on the allowlist and issues your local SSH client a 3-minute certificate signed by Cloudflare’s SSH CA. Your ssh command tunnels through cloudflared to ssh.ccmax.uk, which forwards to el02’s sshd. el02 trusts Cloudflare’s CA, so the cert grants access without you ever managing an ~/.ssh/authorized_keys entry. Three minutes later the cert expires; the next connection fetches a fresh one. There are no long-lived SSH keys to generate, share, or rotate.

Setup — 5 steps, ~3 minutes

1. Register your identity

Open https://eon.ccmax.uk in your browser and click “Sign in with GitHub”. Approve the OAuth consent screen. You’ll land on the fleet dashboard.

This step tells the access-control system “this GitHub account exists and wants in”. Your verified primary email is captured automatically from GitHub via the user:email OAuth scope — you don’t have to type or share it anywhere.

2. Ping the admin to add you to the SSH tier

Message Terry on Telegram (+1 604 300 8878) or GitHub (@terrylica):

Just signed in to eon.ccmax.uk — please add me to ssh-operators.

Wait for confirmation. The admin runs /ccmax:access add --from-visit <your-github-id> --tier ssh-operators and /ccmax:access sync on their end. Usually takes under 5 minutes.

3. Install the Cloudflare client

cloudflared is the daemon that fetches your short-lived SSH certificate and proxies the connection.

macOS:

brew install cloudflared

Ubuntu / Debian:

sudo mkdir -p /usr/share/keyrings
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared focal main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update && sudo apt install cloudflared

Windows: install via winget install --id Cloudflare.cloudflared, or download the .msi from the cloudflared releases page.

4. Run our one-shot setup script

curl -fsSL https://eon.ccmax.uk/setup/ssh.sh | sh

This appends a Host el02 block to your ~/.ssh/config that tells SSH to:

Tunnel through cloudflared access ssh --hostname ssh.ccmax.uk instead of connecting directly
Use Cloudflare’s short-lived certificate flow instead of expecting an ~/.ssh/id_* key
Cache the SSO session so you don’t re-authenticate on every connection

If you’d rather read the script before piping it to sh (sensible), just open the URL in your browser first. It’s about 30 lines of shell.

5. Connect

ssh el02

The very first time only, a browser tab will pop open prompting you to sign in with GitHub again. This authorizes cloudflared itself to fetch certificates on your behalf. After you sign in, the tab closes automatically and your shell drops into el02. Subsequent ssh el02 invocations within the next ~24 hours reuse the cached SSO and skip the browser entirely.

That’s it. You’re in.

Using el02 from VS Code or Cursor

Both editors’ Remote-SSH extensions work transparently with the el02 host alias once step 4 has populated ~/.ssh/config. Open the command palette → “Remote-SSH: Connect to Host…” → pick el02. The extension shells out to ssh el02 and the same Cloudflare flow runs.

Troubleshooting

ssh el02 hangs at “Authenticated” then disconnects — your ssh-operators tier hasn’t been synced yet. Ask the admin to run /ccmax:access sync.
Browser tab pops up every time you connect — your ~/.cloudflared/ SSO session expired. Normal after ~24 hours; the next browser sign-in refreshes it.
cloudflared: command not found — step 3 didn’t complete. Re-run the install command for your OS.
curl ... 403 Forbidden on step 4 — you haven’t completed step 1 (GitHub SSO via the dashboard) yet. The setup script endpoint is also gated by Cloudflare Access.
You can SSH but you were told you’d been removed — your last-issued certificate is still within its 3-minute TTL. Wait 3 minutes; the next reconnect will fail.

How access is revoked

When the admin runs /ccmax:access remove <your-email> and /ccmax:access sync, Cloudflare Access stops issuing you new SSH certificates immediately. Any cert you obtained in the previous 3 minutes will keep working until it expires. After the 3-minute window, your ssh el02 attempts fail at the Cloudflare Access challenge and never reach el02’s sshd.

This is the entire revocation story — there is no authorized_keys file to clean up, no key to rotate on other machines, no VPN membership to revoke.