Browser based SSH with Short Lived Certificates using Cloudflare Zero Trust
SSH is the de-facto standard for remotely accessing Unix computers. However, it requires pre-configured keys and an SSH client to be available on the client computer. By using a Cloudflare Tunnel and Cloudflare Access you can use any web browser as the SSH client, and use Cloudflare Access for authenticating to the remote computer instead of SSH keys.
Introduction
In this post I am going to provide details on how to configure Cloudflare Zero Trust with Cloudflare Access and Cloudflare Tunnels, to securely provide SSH access to remote Unix computers through a browser rendered SSH client.
Creating the Cloudflare Access Application
The first step is to create an application in Cloudflare Access. This will ensure that the access control measures have already been defined before we create the tunnel.
This can be done through the following steps:
- Go to the Cloudflare Zero Trust Dashboard
- Open the Access menu and select Applications
- Click the Add an application button
- Select self-hosted
- Enter an application name and application domain and click the Next button
- Setup the application policies to suit your requirements and click the Next button
- In the Additional settings area, open the Browser rendering dropdown and select SSH, then click the Next button
- Click the Add application button
Now that the Cloudflare Access application has been created, we need to create a tunnel and install cloudflared on the server (or a server which can communicate with the target server) to allow a connection to be established.
Creating a Cloudflare Tunnel
A Cloudflare Tunnel can be created through the Cloudflare Zero Trust Dashboard. This will allow us to manage the tunnel through the web interface, and download cloudflared preconfigured to connect to the tunnel.
- Go to the Cloudflare Zero Trust Dashboard
- Open the Access menu and select Tunnels
- Click the Create a tunnel button
- Enter a name for the tunnel. This is a descriptive name for future reference. Click the Save tunnel button
- Choose your tunnel environment and follow the instructions to setup cloudflared. Click the Next button
- Click the Next button
- On the Public Hostnames tab, enter the domain details to match the Cloudflare Access application created earlier.
- In the Service area, select SSH from the dropdown and enter
127.0.0.1
for the URL. If you are connecting to a different server than cloudflared is installed on, you will need to amend the URL to the appropriate address - Click the Save hostname button
After following those steps, a Cloudflare tunnel connector should be connected, and the tunnel status should be Healthy. The next step is to setup the short lived certificates to allow access to the SSH server using Cloudflare Access.
Setting up Short Lived Certificates
After setting up short lived certificates in Cloudflare Access, you will be able to use Cloudflare to login to an SSH server by authenticating with a certificate issued by Cloudflare Access. Before you do this, you need to have created a user account on the host server matching the username part of your email address. E.g. if you login to Cloudflare Access with "james@example.com" you will need to have a user account on the server named "james". If the usernames are different, you will need to follow additional steps to allow you to login.
- Go to the Cloudflare Zero Trust Dashboard
- Open the Access menu and select Service Auth
- Select the SSH tab
- In the Short-lived certificates area, select the application from the dropdown and click the Generate certificate button
- Copy the displayed public key
- Create the file
/etc/ssh/ca.pub
, paste the key into the file, then save and close the file. You may need to use sudo to be able to create the file
sudo nano /etc/ssh/ca.pub - Open
/etc/ssh/sshd_config
and make the following changes to the file, you may need to use sudo to be able to save the file.sudo nano /etc/ssh/sshd_config
- Uncomment the line
#PubkeyAuthentication yes
by removing the # symbol - On the line below add
TrustedUserCAKeys /etc/ssh/ca.pub
- Restart the SSH service.
sudo service ssh restart
- Go to the public hostname URL you specified, and you should be presented with the Cloudflare Access login page. After logging in with an appropriate account, you should then be automatically logged into an SSH session as the Unix user with the username matching your e-mail address username.
Summary
In the steps above, we created a new Cloudflare Zero Trust tunnel, Cloudflare Access application and enabled support for short-lived certificates to allow user to login without additional passwords. This also allows users to login through a browser based SSH client, and for their access to the host to be controlled through Cloudflare Access policies.