Cloudflare Docs
Cloudflare-One
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Configure SSH proxy and command logs

Cloudflare Zero Trust supports SSH proxying and command logging using Secure Web Gateway and the WARP client.

You can create network policies to manage and monitor SSH access to your applications. When a device connects to your origin server over SSH, a session log will be generated showing which user connected, the session duration, and optionally a full replay of all commands run during the session.

Prerequisites

1. Ensure Unix usernames match user SSO identities

Cloudflare Gateway will take the identity from a token and, using short-lived certificates, authorize the user on the target infrastructure.

In order to match a user to their SSO identity, the user’s Unix username must match their email address prefix. For example, jdoe must be registered in your Okta or GSuite organization as [email protected].

You can create a user entry with duplicate uid, gid, and home directory to link an identity to an existing user with a different username. You will need to create a password for it separately and add it to the same groups to replicate permissions.

For testing purposes, you can run the following command to generate a Unix user on the machine:

$ sudo adduser jdoe

2. Generate a short-lived certificate public key

Instead of traditional SSH keys, short-lived certificates are used to authenticate traffic between Cloudflare and your origin.

To create a root certificate and get its public key:

  1. Make a request to the Cloudflare API with your email address and API key as request headers.

    curl -X POST "https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/access/gateway_ca"\
    -H "X-Auth-Email: <EMAIL>" \
    -H "X-Auth-Key: <API_KEY>"

    Refer to Getting access to the Cloudflare API for help finding your Account ID and API key.

  2. A success response will include a public_key value. Save the key or keep it somewhere convenient for configuring your server.

3. Save your public key

  1. Copy the public_key value returned by the API request in Step 2.
  1. Use the following command to change directories to the SSH configuration directory on the remote target machine:

    $ cd /etc/ssh
  2. Once there, you can use the following command to both generate the file and open a text editor to input/paste the public key.

    $ vim ca.pub
  3. In the ca.pub file, paste the public key without any modifications. Save the file. In some systems, you may need to use the following command to force the file to save depending on your permissions:

    :w !sudo tee %
    :q!

4. Modify your SSHD config

The following procedure makes two changes to the sshd_config file on the remote target machine. The first change requires that you uncomment a field already set in most default configurations; the second change adds a new field.

  1. While staying within the /etc/ssh directory on the remote machine, open the sshd_config file.

    $ vim /etc/ssh/sshd_config
  2. Navigate to the row named PubkeyAuthentication. In most default configurations, the row will appear commented out as follows:

    # PubkeyAuthentication yes
  3. Remove the # symbol to uncomment the line; keep the setting yes enabled.

  4. Next, add a new line below PubkeyAuthentication as follows:

    TrustedUserCAKeys /etc/ssh/ca.pub

    Save the file and quit the editor. You might need to use the following command again to save and exit.

    :w !sudo tee %
    :q!

5. Check your SSH port number

Cloudflare’s SSH proxy only works with servers running on the default port 22. Open the sshd_config file and verify that no other Port values are specified.

cat /etc/ssh/sshd_config

6. Restart your SSH server

Once you have modified your SSHD configuration, you still need to restart the SSH service on the remote machine.

Debian/Ubuntu

$ sudo service ssh restart
$ sudo systemctl restart ssh

CentOS/RHEL

$ sudo service sshd restart
$ sudo systemctl restart sshd

7. Create an Audit SSH policy

  1. On the Zero Trust dashboard, navigate to Gateway > Policies.

  2. In the Network tab, create a new network policy.

  3. Name the policy and specify the Destination IP or hostname for your origin server.

  4. Add any other conditions to your policy. If a user does not meet the criteria, they will be blocked by default.

  5. In the Action dropdown, select Audit SSH.

  6. (Optional) Enable SSH Command Logging. If you have not already uploaded an SSH encryption public key, follow the steps in Configure SSH Command Logging .

  7. Save the policy.

8. Connect as a user

Users can use any SSH client to connect to the target resource, as long as they are logged into the WARP client on their device. Cloudflare Zero Trust will authenticate, proxy, and optionally encrypt and record all SSH traffic through Gateway.

(Optional) Configure SSH Command Logging

If you enabled SSH Command Logging in an Audit SSH policy , you will need to generate an HPKE key pair and upload the public key to your dashboard.

  1. Download the Cloudflare ssh-log-cli utility.

  2. Using the ssh-log-cli utility, generate a public and private key pair.

    $ ./ssh-log-cli generate-key-pair -o sshkey
    $ ls
    README.md ssh-log-cli sshkey sshkey.pub

    This command outputs two files, an sshkey.pub public key and a matching sshkey private key.

  3. On the Zero Trust dashboard, navigate to Settings > Network.

  4. In the SSH encryption public key field, paste the contents of sshkey.pub and click Save. Note that this a different public key from the ca.pub file you used to configure the origin server.

All proxied SSH commands are immediately encrypted using this public key. The matching private key is required to view logs .

View SSH Logs

  1. On the Zero Trust dashboard, navigate to Logs > Gateway > SSH.

  2. If you enabled the SSH Command Logging feature, you can Download a session’s command log.

  3. To decrypt the log, follow the instructions in the SSH Logging CLI repository. The following example uses the private key generated in Configure SSH Command Logging :

    $ ./ssh-log-cli decrypt -i sshlog -k sshkey

    This command outputs a sshlog-decrypted.zip file with the decrypted logs.