Application SSH Overview

Page last updated:

Warning: Pivotal Cloud Foundry (PCF) v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic introduces SSH configuration for apps in your Pivotal Application Service deployment.

If you need to troubleshoot an instance of an app, you can gain SSH access to the app using the SSH proxy and daemon.

For example, one of your app instances may be unresponsive, or the log output from the app may be inconsistent or incomplete. You can SSH into the individual VM that runs the problem instance to troubleshoot.

Note: If you have mutual TLS app identity verification enabled, app containers accept incoming communication only from the Gorouter. This disables cf ssh.

SSH Access Control Hierarchy

Operators, space managers, and space developers can configure SSH access for PAS, spaces, and apps as described in this table:

User Role Scope of SSH Permissions Control How They Define SSH Permissions
Operator Entire deployment Configure the deployment to allow or prohibit SSH access (one-time). For more information, see Configuring SSH Access for PCF.
Space Manager Space cf CLI allow-space-ssh and disallow-space-ssh commands
Space Developer Application cf CLI enable-ssh and disable-ssh commands

An application is SSH-accessible only if operators, space managers, and space developers all grant SSH access at their respective levels. For example, the image below shows a deployment where:

  • An operator allowed SSH access at the deployment level.
  • A space manager allowed SSH access for applications running in spaces “A” and “B” but not “C.”
  • A space developer enabled SSH access for applications that include “Foo,” “Bar,” and “Baz.”

As a result, apps “Foo,” “Bar,” and “Baz” accept SSH requests.

Ssh app access

SSH Access for Apps and Spaces

Space managers and space developers can configure SSH access from the command line. The Cloud Foundry Command Line Interface (cf CLI) also includes commands to return the value of the SSH access setting. See the Accessing Apps with Diego SSH topic to use and configure SSH at both the application level and the space level.

Configuring SSH Access for Pivotal Application Service

Pivotal Cloud Foundry deployments control SSH access to apps at the PAS level. Additionally, Cloud Foundry supports load balancing of SSH sessions with your load balancer. The Configuring SSH Access topic describes how to set SSH access for your deployment.

About SSH Access

The SSH system components include the SSH proxy and daemon, and the system also supports authentication, and load balancing of incoming SSH traffic. The Application SSH Components and Processes topic provides a conceptual overview.