Skip to content

Torus ZTNA

Teleport-based ZTNA gateway for SSH access to community shell hosts. Plus + Pro only.

Where it lives

Sidebar: Torus ZTNA (under Reachability). Section ID: torus-shell-section.

TBD — registration flow details

The exact registration UX is still being refined. The Set Up Shell Access → button on the Access control page launches the flow, which is where this page should pick up. Below is the rough shape; confirm specifics against the running app.

What it gives you

A way to SSH into Nekotopia community shell hosts (and host your own shell apps, optionally listing them on Neko Pages) via Teleport — a zero-trust network access gateway. Instead of opening port 22 directly, you authenticate to Teleport with a short-lived cert and Teleport brokers the connection.

Registering

Click Set Up Shell Access → from the Access control Torus ZTNA card (when its status is Not yet set up). The flow:

  1. The platform creates a Teleport user record for you
  2. You're issued a Teleport configuration bundle
  3. You install tsh (the Teleport CLI) on your local machine
  4. tsh login --proxy=teleport.nekotopia.io with your Nekotopia credentials
  5. Your local tsh gets a short-lived cert (24h default)

After registration, the toggle on the Access control card flips to Enabled and the shell: status pill on the overview header reads enabled.

Connecting

Once registered:

tsh login --proxy=teleport.nekotopia.io
tsh ssh username@hostname

Or set Teleport as your SSH proxy in ~/.ssh/config:

Host *.shell.nekotopia.io
    ProxyCommand tsh proxy ssh %r@%h:%p

Available shell hosts

  • necho (10.255.137.222) — community shell, Linux. Most members get a home directory here on registration.
  • marvin (planned) — the SGI O2 sandbox; access via Sandbox SGI when launched.
  • More to follow.

Hosting your own shell app

Tick List on Neko Pages on an approved ZTNA app to publish it to the community directory (see Neko Pages). The Teleport gateway brokers the actual connection, so your internal IP and port stay private.

Troubleshooting

tsh login fails

Most often: registration is incomplete. Check the Access control Torus ZTNA card — it should show Enabled, not Pending.

tsh ssh works but the session is slow

Teleport sessions go via the gateway, which adds latency. For latency-sensitive shell work, consider direct SSH within Torus (ssh user@host.ring.nekotopia.io) — but you lose the audit/cert benefits.

Open questions

  • Should member-published shell apps require admin approval per-app, or be self-serve once registered?
  • Session recording defaults — opt-out per-host or always-on?