Account selection

When connecting to a server through Websh, WebFTP, or the server console, you choose which account to use on the remote server.

My account

Your Alpacon username is used as the remote user. This is the default selection. All users who meet the access requirements can connect with their own account.

System accounts

Users with sudo privilege can also select from system accounts on the server. The list shows non-IAM accounts that have shell access on the server.

Note: The root account only appears in the system accounts list when Allow direct root access is enabled in workspace access control. This setting is disabled by default.

Who has sudo privilege:

  • Workspace Staff or Superuser: on all servers
  • Manager or Owner of a group that is assigned to the server

MFA authentication for system account access

When the MFA required actions setting is enabled in workspace authentication policy, connecting with a system account requires additional MFA verification.

Web (Alpacon console)

  1. Select a system account and click Connect
  2. A notification appears indicating MFA is required
  3. You are redirected to the MFA authentication page
  4. Complete authentication (TOTP, email, phone, or WebAuthn)
  5. After successful verification, you are automatically redirected back and the connection starts

CLI (alpacon websh / alpacon exec)

When using the CLI, the MFA flow differs from the web:

  1. The CLI displays an MFA authentication link
  2. Open the link in your browser and complete MFA verification
  3. The CLI automatically detects successful authentication and continues the operation
  4. The MFA link expires after 3 minutes—retry the command to receive a new link if it expires
$ alpacon websh root@my-server
MFA authentication required.
Please open the following URL in your browser to complete MFA authentication:

  https://app.alpacon.io/mfa/verify?token=abc123

Waiting for MFA authentication... (timeout: 3m0s)
MFA authentication successful.

MFA timeout

MFA verification remains valid for a configured duration after completion. The timeout range is set by workspace administrators in authentication policy, and individual users can adjust their own timeout within this range from security settings. Subsequent system account connections within the valid period will not require re-authentication.