> ## Documentation Index
> Fetch the complete documentation index at: https://docs.phala.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Enable SSH Access
> Connect to your CVM via SSH for debugging and management
SSH access is only available with **dev** OS images. Select "dstack-dev" when creating your CVM. Production images have SSH disabled for security.
The easiest way to SSH into your CVM is with the Phala CLI. One command connects you through the secure gateway tunnel.
## Prerequisites
* [Phala CLI](/phala-cloud/phala-cloud-cli/overview) (latest version)
* CVM deployed with Development OS
## Step 1: Configure SSH Keys
Start by adding your SSH keys in **Account Settings > SSH Keys** on the [Phala Cloud dashboard](https://cloud.phala.com/account/settings). You can add keys manually or sync them from GitHub. All saved keys are automatically added to every new CVM you deploy.
When creating a CVM, the SSH Authorization section lets you add an additional root password or public key specific to that instance. These are added alongside your account keys.
SSH keys are injected **only at CVM creation time**. Updating your account keys won't affect already-deployed CVMs. To modify credentials on existing CVMs, use **Code Update** to set the `DSTACK_ROOT_PASSWORD` or `DSTACK_ROOT_PUBLIC_KEY` environment variables.
## Step 2: Connect
```bash theme={"system"}
# Connect using phala.toml configuration
phala ssh
# Or specify the CVM name directly
phala ssh my-cvm
```
That's it. The CLI handles the gateway tunnel and SSH configuration automatically.
## Useful Options
The `phala ssh` command supports several options:
```bash theme={"system"}
# Preview the SSH command without connecting
phala ssh my-cvm --dry-run
# Enable verbose output for debugging
phala ssh my-cvm -v
# Forward a local port to the CVM
phala ssh my-cvm -- -L 8080:localhost:80
```
See the [CLI reference](/phala-cloud/phala-cloud-cli/ssh) for all options.
If you prefer manual configuration or need to customize your setup, use `phala ssh --dry-run` to generate the SSH config:
```bash theme={"system"}
phala ssh my-cvm --dry-run
```
This outputs a working SSH command you can adapt. The underlying mechanism uses OpenSSL to tunnel SSH through TLS:
```bash theme={"system"}
Host my-cvm
HostName -22..phala.network
User root
Port 443
ProxyCommand openssl s_client -quiet -connect %h:%p
```
Replace `` with your application ID and `` with your cluster (e.g., `dstack-pha-prod7`).
**macOS users:** If you encounter connection timeouts, you may have LibreSSL instead of OpenSSL. Install OpenSSL via Homebrew and use the full path: `/opt/homebrew/bin/openssl`.
**Windows users:** Install OpenSSL via [Chocolatey](https://chocolatey.org/) (`choco install openssl`) and use the full path in ProxyCommand. Alternatively, use WSL where the Linux instructions work directly.
## What You Can Do
Once connected, you have full access to debug and manage your CVM:
```bash theme={"system"}
# Check containers
docker ps -a
docker logs
# Monitor resources
htop
docker stats
# Debug networking
curl http://localhost:8080
netstat -tulpn
```
Remember to switch to a Production OS image when you're done debugging.
## Troubleshooting
| Issue | Solution |
| ------------------ | --------------------------------------------------------------------------------------------- |
| Permission denied | Check Account Settings for saved keys. For existing CVMs, use Code Update to set credentials. |
| Connection refused | Confirm you deployed with Development OS, not Production |
| Connection timeout | Run `phala ssh -v` to see detailed connection info |
For more detailed troubleshooting, see [Networking Troubleshooting](/phala-cloud/networking/troubleshooting#ssh-access-denied).