Ensure that the machine you are connecting to is configured to host SSH connections through Access.
Before you can establish a connection to an SSH host protected by Access, you must install Cloudflare’s
cloudflared command-line tool. See Installing cloudflared for instructions.
If you have already installed
cloudflared, run the following command to ensure that you are on the latest version:
Follow the instructions here to install
cloudflared on your device. Downloads are available for Linux, MacOS, and Windows.
If you already have
cloudflared installed, run the following command to ensure you are on the latest version:
$ cloudflared update
cloudflared installed, you can make requests to services behind Access from your command line.
cloudflared will initiate the authentication flow for you with the identity provider that your administrator configured.
Cloudflare Access does not require any unique commands or SSH wrappers to run. The only change needed is the addition of new ProxyCommand details to your SSH configuration file.
cloudflared will print these details for you with the following commands.
cloudflared will print the configuration settings for you with the location path of
cloudflared on your machine. The example here uses “/usr/local/bin/cloudflared” but that may be differeont on your device.
$ cloudflared access ssh-config
The command above will print generic SSH configuration details in the following format:
Host [your hostname] ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
Optionally, run the following command to print SSH configuration details pecific to your Access hostname.
$ cloudflared access ssh-config --hostname vm.example.com
The output will resemble the details below.
Host git.example.com ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
Further, if you are using short-lived certificates, the following command can be used to generate the configuration file.
$ cloudflared access ssh-config --hostname vm.example.com --short-lived-cert
The command above will print SSH configuration details specific to your Access hostname as well as the settings required for short-lived certificates in the following format:
Host vm.example.com ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %[email protected] >&2 <&1' Host cfpipe-vm.example.com HostName vm.example.com ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h IdentityFile ~/.cloudflared/vm.example.com-cf_key CertificateFile ~/.cloudflared/vm.example.com-cf_key-cert.pub
Save these new lines to your
~/.ssh/config file. You will only need to complete this once.
Once you have your configuration file saved, you can initiate an SSH connection to a server behind Access.
$ ssh [email protected]
The command will initiate an SSH connection through a proxy to reach the corresponding
cloudflared daemon running on the server. Ensure that the “username” provided in the command matches a Unix username on the machine. In this example, SSH is available through
port 22, but
cloudflared can be configured for other ports.
cloudflared will proceed to launch a browser window that contains the same Access login page you find when attempting to reach a web application. Select your identity provider and proceed to login. If the browser window is not launched, you can also use the unique URL output in your command line.
When you have successfully authenticated, the browser will return your token to
cloudflared in a cryptographic transfer and store it. The token is valid for the session duration configured by your Access administrator.
cloudflared will store the token and use it to authenticate your requests.
Access does not replace the need for SSH keys. You can continue to use SSH keys in conjunction with Access.