CT-Ops
Terminal Access Settings
Global CT-Ops settings for interactive host terminal access and session logging.
The Terminal Access settings page controls interactive SSH terminal access
across the instance. Open it from Settings -> Security -> Terminal access at
/settings/security/terminal.
These settings affect the host Management Terminal Access card and the host Terminal tab. They also affect graph context-menu terminal actions on Host Networks. Host-level settings can narrow access, but they cannot enable terminals when the instance master switch is off.
Access and scope
Only instance administrators can open and change this page. The settings apply to every host in the current CT-Ops instance.
Non-admin users do not manage these settings. Terminal use still requires at least engineer-level membership, a host that allows terminal access, and a valid SSH username and password for the target host.
Terminal Access card
| Field or control | Default | What it does |
|---|---|---|
| Enable Terminal Access | On unless instance metadata explicitly disables it | Master switch for interactive terminal sessions. When off, no users can open terminal sessions on any host. Turning it off also clears the local Enable Session Logging switch before save. |
| Enable Session Logging | Off | Records terminal output for compliance when terminal access is enabled. Input, including passwords, is not recorded. |
| Save | Disabled until local changes exist | Persists the instance terminal settings. The button changes to Saving… while saving and shows Saved after success. |
The stored instance setting also contains terminalDirectAccess, but CT-Ops
forces it to false. Terminal sessions are SSH-backed: CT-Ops asks for a target
host username and password and does not open a shell as the agent or root user.
Host-level effects
| Area | Effect |
|---|---|
| Host Terminal tab | Hidden or denied when global terminal access is disabled, the host disables terminal access, the user lacks an eligible role, or the host allowlist excludes the user. |
| Host Networks graph -> Open Terminal | Uses the same global terminal policy, host-level policy, user role, SSH host-key trust, and username/password prompt as the host Terminal tab. |
| Host Management -> Terminal Access | Lets an admin disable terminal access for one host or restrict it to selected users, but only inside the global terminal access policy. |
| SSH host-key trust | Host terminal sessions are blocked when CT-Ops detects a changed host key until an admin trusts the pending key on the host Management page. |
| Session logging | When enabled globally, terminal output is recorded for compliance. Password input is not recorded. |
Operator guidance
Leave terminal access enabled only when CT-Ops is intended to be an operational access path. Disable it globally during access reviews, incident containment, or when SSH terminal use is not part of the deployment’s operating model.
Use host-level allowlists for sensitive hosts where normal engineer access is too broad. Use global session logging when terminal output must be retained for audit or regulated operations.