Shell Access

Secure Shell (SSH) is a command-line access mode primarily used to gain remote shell access to Sophos UTM. It is typically used for low-level maintenance or troubleshooting. To access this shell you need an SSH client, which usually comes with most Linux distributions. For Windows you can download an SSH client for free, e.g. PuTTY ( or DameWare (

Shell User Passwords

Enter passwords for the default shell accounts root and loginuser. To change the password for one out of these two accounts only, just leave both input boxes for the other account blank.

Note – To enable SSH shell access, passwords must be set initially. In addition, you can only specify passwords that adhere to the password complexity settings as configured on the Definitions & Users > Authentication Services > Advanced tab. That is, if you have enabled complex passwords, shell user passwords must meet the same requirements.

Accessing Sophos UTM via SSH

To access Sophos UTM via SSH, connect via SSH port (TCP 22 by default) using your normal SSH utility program (e.g. PuTTY).

You can log in as

  • loginuser by prompting loginuser and the associated password as set above at the SSH or
  • root after you have logged in as loginuser by typing su - and entering the associated password as set above.

Note – Any modifications done by root will void your support. Even users not logged in as root have direct access to a lot of information on Sophos UTM and should be considered privileged users. Therefore, it is strongly recommended to grant SSH access only to administrators in WebAdmin. For any configuration change, use WebAdmin instead.

Allowed Networks

Use the Allowed Networks control to restrict access to this feature to certain networks only. Networks listed here will be able to connect to the SSH service.


In this section you can define an authentication method for SSH access and the strictness of access. The following authentication methods are available:

  • Password (default)
  • Public key
  • Password and public key

To use these options select the respective checkboxes. To use Public Key Authentication you need to upload the respective public key(s) into the field Authorized Keys for loginuser for all users allowed to authenticate via their public key(s).

Allow root login: You can allow SSH access for the root user. This option is disabled by default as it leads to a higher security risk. When this option is enabled, the root user is able to log in via their public key. Upload the public key(s) for the root user into the field Authorized Keys for root.

Note – For more information on generating SSH keys, see the Sophos Knowledge Base articles Creating SSH key on a Linux based system, using PuTTY.

Click Apply to save your settings.

SSH Daemon Listen Port

This option lets you change the TCP port used for SSH. By default, this is the standard SSH port 22. To change the port, enter an appropriate value in the range from 1024 to 65535 in the Port number box and click Apply.