Access to the admin is obtained through links containing a one-time passcode (OTP). These links are generated from within the server and expire within a couple of hours if not used.
Once opening the link, continued admin access is granted to that particular browser. Subsequently, the admin can be accessed by going to the server droplet's IP address, e.g.: https://18.104.22.168
If the browser cache is cleared, then the user will see 'Authentication failed' and need a new admin link.
Granting new access
To create a new link, within the server run
lamassu-register followed by a name to identify the recipient or purpose. For example:
If sending the link to another user or device, send it over a (secure) service which doesn't auto-preview the link (and thus invalidate it). Signal and Keybase are good for this, or within codeblock formatting in Wire, Element, or WhatsApp.
Revoking admin access
To view a list of authorized users you may run the following within the server's terminal:
To revoke a user's access, run
lamassu-revoke followed by the name of the authorized user. For example:
Switching off the admin
As an even greater security precaution, you may even turn off the admin fully when not in use, and switch it on again when needed.
Your paired machines will continue their normal operation, servicing customers; however, stopping the admin would prevent anyone with prior access from controlling your commission settings or pairing a machine of their own (and thus having indirect wallet withdrawal access).
To turn off the admin (
lamassu-admin-server), run within your server's terminal:
supervisorctl stop lamassu-admin-server
To turn it on again prior to accessing it, run:
supervisorctl start lamassu-admin-server
To view its current status (
supervisorctl status lamassu-admin-server
(If you do wish to halt service at your machines, similarly you may stop and start the
lamassu-server process, detailed in 'Halting service at the machine'.)