Connecting over SSH

Requirements

Ensure that the machine you are connecting to is configured to host SSH connections through Access.

Before you can establish a connection to an SSH host protected by Access, you must install Cloudflare’s cloudflared command-line tool. See Installing cloudflared for instructions.

If you have already installed cloudflared, run the following command to ensure that you are on the latest version:

cloudflared update

1. Install cloudflared

Follow the instructions here to install cloudflared on your device. Downloads are available for Linux, MacOS, and Windows.

If you already have cloudflared installed, run the following command to ensure you are on the latest version:

$ cloudflared update

2. SSH configuration for Cloudflare Access

With cloudflared installed, you can make requests to services behind Access from your command line. cloudflared will initiate the authentication flow for you with the identity provider that your administrator configured.

Cloudflare Access does not require any unique commands or SSH wrappers to run. The only change needed is the addition of new ProxyCommand details to your SSH configuration file. cloudflared will print these details for you with the following commands.

Note: cloudflared will print the configuration settings for you with the location path of cloudflared on your machine. The example here uses “/usr/local/bin/cloudflared” but that may be differeont on your device.

$ cloudflared access ssh-config

The command above will print generic SSH configuration details in the following format:

Host [your hostname]
	ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

Optionally, run the following command to print SSH configuration details pecific to your Access hostname.

$ cloudflared access ssh-config --hostname vm.example.com

The output will resemble the details below.

Host git.example.com
	ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

Further, if you are using short-lived certificates, the following command can be used to generate the configuration file.

$ cloudflared access ssh-config --hostname vm.example.com --short-lived-cert

The command above will print SSH configuration details specific to your Access hostname as well as the settings required for short-lived certificates in the following format:

Host vm.example.com
        ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %[email protected] >&2 <&1'

Host cfpipe-vm.example.com
        HostName vm.example.com
        ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
        IdentityFile ~/.cloudflared/vm.example.com-cf_key
        CertificateFile ~/.cloudflared/vm.example.com-cf_key-cert.pub

Save these new lines to your ~/.ssh/config file. You will only need to complete this once.

3. Connect over SSH

Once you have your configuration file saved, you can initiate an SSH connection to a server behind Access.

The command will initiate an SSH connection through a proxy to reach the corresponding cloudflared daemon running on the server. Ensure that the “username” provided in the command matches a Unix username on the machine. In this example, SSH is available through port 22, but cloudflared can be configured for other ports.

cloudflared will proceed to launch a browser window that contains the same Access login page you find when attempting to reach a web application. Select your identity provider and proceed to login. If the browser window is not launched, you can also use the unique URL output in your command line.

When you have successfully authenticated, the browser will return your token to cloudflared in a cryptographic transfer and store it. The token is valid for the session duration configured by your Access administrator. cloudflared will store the token and use it to authenticate your requests.

Access does not replace the need for SSH keys. You can continue to use SSH keys in conjunction with Access.