Connecting over SSH

Cloudflare Access connects you to a server over SSH without the need to turn on your VPN. Cloudflare’s command line tool, cloudflared, establishes the connection and lets you authenticate against your identity provider.

1. Install cloudflared

Follow the instructions here to install cloudflared on your device. Downloads are available for Linux, MacOS, and Windows.

2. SSH configuration for Cloudflare Access

With cloudflared installed, you can make requests to services behind Access from your command line. cloudflared will initiate an authentication flow for you with the identity provider that your administrator configured.

First, you’ll want to save a new SSH configuration file. In this example, we’ll consider a Git server that is available at monday.example.com and placed behind Access.

Create a new SSH config file with the following details. You only need to specify HostName if different from the host.

Host monday.example.com
	HostName monday-ssh.example.com
	ProxyCommand cloudflared access ssh --hostname %h

You can save that file to ~/.ssh/config and move to the next step.

3. Connect over SSH

Once you have your configuration file saved, you can initiate an SSH connection to a server behind Access with any standard SSH or Git command. You can start by testing your connection.

$ git clone ssh -T [email protected]

If successful, the Git command will clone the repository. If not, you will receive an error indicating a failure to connect. In the case you are not able to connect, check your SSH config file or contact your administrator to confirm the tunnel is in place for that hostname.

$ git clone ssh://[email protected]:/code.git

The command will initiate an SSH connection through a proxy to reach the corresponding cloudflared daemon running on the server. In this example, SSH is available through port 22, but cloudflared can be configured for other ports.

cloudflared will proceed to launch a browser window that contains the same Access login page you find when attempting to reach a web application. Select your identity provider and proceed to login. If the browser window is not launched, you can also use the unique URL output in your command line.

When you have successfully authenticated, the browser will return your token to cloudflared in a cryptographic transfer and store it. The token is valid for the session duration configured by your Access administrator. cloudflared will store the token and use it to authenticate your requests.

Access does not replace the need for SSH keys. You can continue to use SSH keys in conjunction with Access.