SSH to el02 via Cloudflare Access

You’ll use Claude Code to do the heavy lifting. Each step below is either a metaprompt you paste into Claude Code, or a simple browser action. No manual config editing required.

What this gives you

After completing setup, you’ll have:

ssh el02 from anywhere (remote via Cloudflare Tunnel, 4-minute certificates, no VPN)
ssh el02-lan from the office network (traditional SSH keys, faster)
VS Code / Cursor Remote-SSH working with both paths
ClickHouse access to the opendeviationbar database

Before you start

You need three things ready:

A GitHub account with your real email set as primary and public
Claude Code installed and working on your machine
Your GitHub numeric ID — find it by opening https://api.github.com/users/YOUR_USERNAME in your browser and looking for the id field

Step 1: Register with the dashboard

Open https://eon.ccmax.uk and click “Sign in with GitHub”. This takes 10 seconds and captures your identity for the access control system.

Step 2: Tell Terry to add you

Send this message to Terry on Telegram (+1 604 300 8878) or GitHub (@terrylica), filling in your details:

Just signed in to eon.ccmax.uk — please add me to ssh-operators.

GitHub username: YOUR_USERNAME
GitHub email (primary): YOUR_EMAIL
GitHub numeric ID: YOUR_ID

Wait for Terry to confirm (usually under 5 minutes).

Step 3: Set up SSH access

Once Terry confirms, paste this metaprompt into Claude Code. Replace the three placeholders at the top with your actual details.

My GitHub username is `YOUR_USERNAME`.
My GitHub email is `YOUR_EMAIL`.
My GitHub numeric ID is `YOUR_ID`.

Set up SSH access to el02 (Big Black) on my machine. Here's exactly what needs to happen:

**1. Install cloudflared** (the Cloudflare Tunnel client):

- macOS: `brew install cloudflared`
- Linux: install from Cloudflare's apt repo
- Check it's installed: `cloudflared --version`

**2. Run the SSH setup script** from the fleet dashboard:

```
EL02_USER=YOUR_USERNAME curl -fsSL https://eon.ccmax.uk/setup/ssh.sh | sh
```

This writes a `Host el02` block to `~/.ssh/config` that tunnels through Cloudflare.
It's safe to re-run — it self-heals stale config.

**3. Generate an SSH key** if I don't already have one at `~/.ssh/id_ed25519`:

```
ssh-keygen -t ed25519 -C "YOUR_EMAIL"
```

**4. Show me my public key** so I can paste it into GitHub:

```
cat ~/.ssh/id_ed25519.pub
```

Tell me to go to https://github.com/settings/keys and add it.

**5. Add a LAN shortcut** to `~/.ssh/config` for office access:

```
Host el02-lan
    HostName el02.local
    User YOUR_USERNAME
```

Use the same idempotent marker approach as the setup script
so re-running doesn't duplicate the block.

**6. Verify remote access works**:

```
ssh -o ConnectTimeout=10 el02 echo "CONNECTION_OK"
```

If it fails, tell me that's normal for first-time — I need to run
`ssh el02` manually so the browser can open for GitHub OAuth.

**7. Configure VS Code / Cursor Remote-SSH**:
Tell me to open the command palette, pick "Remote-SSH: Connect to Host",
and select `el02`. It works automatically because we configured `~/.ssh/config`.

After each step, tell me what happened and what to do next.
Do NOT skip steps or combine them — I want to see each one complete.

Step 4: Verify everything works

After Claude Code finishes the setup, test both paths:

# Remote (works from anywhere)
ssh el02

# LAN (works on office network only)
ssh el02-lan

The first time you run ssh el02, a browser tab opens for GitHub OAuth. Sign in, and the tab closes automatically. After that, connections are instant for ~24 hours before re-authentication.

What you get on day one

Terry provisions these on the server side — you don’t need to do anything for these:

Resource	Details
Linux user	Your GitHub username, with `sudo` and `odb` group membership
SSH authorized_keys	Pulled from your GitHub profile (that’s why step 3 asks you to upload a key)
CF Access membership	`ssh-operators` + `dashboard-viewers` tiers
ClickHouse user	Named account on the `opendeviationbar` database
ODB repo access	Read access to `/home/tca/opendeviationbar-py` via the `odb` group
1Password item	All credentials (Linux password, ClickHouse password) shared via 1Password

Current team members:

Terry Lee (Director of Operations) — Linux user tca, ClickHouse admin with full grants, terry@eonlabs.com on CF Access
MD Nasim (BruntWork) — Linux user nasimubd, ClickHouse user scoped to opendeviationbar, nasimubd21@gmail.com on CF Access

GitHub email checklist

Cloudflare Access matches on the email GitHub sends during OAuth. If this doesn’t match the allowlist, you’ll be silently denied. Paste this into Claude Code if you want it to check for you:

Check my GitHub email setup for Cloudflare Access compatibility.

1. Run: `curl -sf https://api.github.com/users/YOUR_USERNAME | python3 -c "import sys,json; d=json.loads(sys.stdin.read()); print(f'Public email: {d.get(\"email\", \"None\")}')" `
2. If it says "None", tell me to:
   - Go to https://github.com/settings/emails → set YOUR_EMAIL as primary
   - Go to https://github.com/settings/profile → set Public email to YOUR_EMAIL
   - Remove any old/unused emails from the emails page
3. If it shows my email, confirm I'm good.

Troubleshooting metaprompt

If something isn’t working, paste this into Claude Code:

SSH to el02 isn't working. Help me diagnose.

1. Check if cloudflared is installed: `cloudflared --version`
2. Check my SSH config: `cat ~/.ssh/config` — look for the el02 block
3. Check if I have SSH keys: `ls -la ~/.ssh/id_ed25519*`
4. Check if my keys are on GitHub: `curl -sf https://github.com/YOUR_USERNAME/keys`
5. Try connecting with verbose output: `ssh -vv el02 2>&1 | head -50`

Based on what you find, tell me exactly what's wrong and fix it.
If the SSH config is stale, re-run:
`EL02_USER=YOUR_USERNAME curl -fsSL https://eon.ccmax.uk/setup/ssh.sh | sh`

How it works (for the curious)

The connection handshake

No IP addresses are ever exchanged between your machine and el02. Both sides connect outbound to Cloudflare — neither accepts inbound connections.

 You (macOS/Linux)               Cloudflare Edge               el02 (Big Black)
 ─────────────────               ───────────────               ────────────────
        │                               │                               │
        │  1. ssh el02                  │                               │
        │  ───────►                     │                               │
        │  (ProxyCommand fires          │                               │
        │   cloudflared client)         │                               │
        │                               │                               │
        │  2. HTTPS outbound ──────────►│                               │
        │     to ssh.ccmax.uk           │                               │
        │                               │  ◄───── persistent tunnel ────│
        │                               │  (cloudflared daemon on el02, │
        │                               │   always connected outbound   │
        │                               │   to Cloudflare edge)         │
        │                               │                               │
        │  3. CF Access challenge       │                               │
        │  ◄───────────────────────────►│                               │
        │  Browser opens (first time)   │                               │
        │  GitHub SSO → allowlist check │                               │
        │  → issue 3-min SSH cert       │                               │
        │                               │                               │
        │  4. Authenticated tunnel      │                               │
        │  ═════════════════════════════╪═══════════════════════════════│
        │  SSH traffic flows through    │  CF routes to el02's sshd     │
        │  encrypted tunnel, both ways  │  on 127.0.0.1:22              │
        │                               │                               │
        │  5. Cert expires (4 min)      │                               │
        │  Next ssh el02 repeats from   │                               │
        │  step 2 (no browser popup     │                               │
        │  if SSO session is cached)    │                               │
        ▼                               ▼                               ▼

Why no IP is needed: cloudflared on el02 maintains a persistent outbound connection to Cloudflare’s edge (port 443). It registered itself as ssh.ccmax.uk via the eon-network-access tunnel. When you run ssh el02, your local cloudflared also connects outbound to Cloudflare, which routes your traffic through the already-established tunnel. el02 could be behind NAT, change ISPs, or move to a different country — as long as its cloudflared daemon can reach Cloudflare outbound, everything works.

Remote path: You authenticate with GitHub SSO. Cloudflare Access verifies you’re on the allowlist and issues a 4-minute SSH certificate signed by Cloudflare’s CA. Your connection tunnels through cloudflared to ssh.ccmax.uk, which forwards to el02. The cert expires after 4 minutes; the next connection gets a fresh one. No long-lived SSH keys involved.

LAN path: Your SSH public keys are pulled from your GitHub profile into ~/.ssh/authorized_keys on el02. You connect directly to el02.local via mDNS — no tunnel, no browser, no Cloudflare. This only works on the same local network.

Security model

Layer	What it protects	TTL
CF Access allowlist	Who can request SSH certificates	Instant revocation
Short-lived SSH certificate	Remote connection authentication	4 minutes
GitHub SSH public key	LAN connection authentication	Until removed from `authorized_keys`
Linux user + sudo	OS-level access control	Until account locked
ClickHouse user	Database access	Until user dropped

How access is revoked

Remote: Admin removes your email from the CF Access allowlist. New certificates stop immediately; existing ones expire in 4 minutes.

LAN: Admin removes your authorized_keys entry. Takes effect on next connection.

Offboarding: both paths revoked simultaneously, Linux account locked, ClickHouse user dropped.