Setup Windows Terminal to use Cloudflare Access for SSH Authentication

Setup Windows Terminal to use Cloudflare Access for SSH Authentication

Windows Terminal is a modern terminal application, which supports a wide variety of customisation through profiles. Windows Terminal Profiles can be used to configure terminal colours, fonts, and commands. We are going to use this, to setup a new Windows Terminal profile to connect to a server using SSH while authenticating with Cloudflare Access.

Setup Short Lived Certificates

The first step in this process is to setup an SSH server which is configured to use Cloudflare Access and Short Lived Certificates for authentication. If you need to set this up, you can refer to the post on browser based SSH with short lived certificates for a guide, if you already have this setup you can move to the next step.

Install cloudflared on the client

As we will need to connect Cloudflare to proxy the SSH commands, cloudflared will be required to allow this. You will need to install cloudflared and have it available on your Windows PATH.

  1. Download cloudflared from the downloads page and save it to an appropriate directory
  2. Open the Settings app
  3. Select About, and then Advanced system settings
  4. Go to the Advanced tab, and click Environment Variables…
  5. In the System variables section, select Path, and then click Edit…
  6. Click New, then enter the path to the directory containing the cloudflared executable
  7. Click OK on all open dialog boxes

Now that cloudflared is available as a system tool, we need to amend the SSH configuration to proxy the commands appropriately for the servers behind the Cloudflare Tunnel.

Configure the SSH Client

In this step, we will configure the SSH client so that it will use cloudflared to proxy the connection to the SSH server. To do this you can follow the steps below.

  1. Open your user profile directory by opening File Explorer, then entering %USERPROFILE% in the address bar
  2. If the .ssh directory does not already exist, create it, then navigate into the directory
  3. Create a new file named config
  4. Open a terminal window and run the following command. You will need to replace the hostname with the appropriate hostname for your server
    cloudflared access ssh-config --hostname --short-lived-cert
  5. Copy all the output after the "Add to your /.ssh/config" line
  6. Open the config file, and paste the copied output from cloudflared
  7. Save the config file

At this point, you should be able to use the ssh command connect to your server. If you enter the command ssh a browser window should open, asking you to login with Cloudflare Access. After logging in, your SSH client should connect to an SSH session on the server.

Setup a Windows Terminal Profile  

The final step, is to add a new Windows Terminal profile to allow you to connect by selecting the server from the new tab dropdown menu in Windows Terminal.

  1. Click the new tab menu
  2. Click Settings
  3. Click Add a new profile, and then Duplicate
  4. Modify the Name as appropriate for you
  5. Set Command line to ssh, be sure to amend the user and hostname as appropriate
  6. Configure the other options, such as Icon, as you would like
  7. Click Save
  8. Click the Settings tab

If everything is now setup correctly, you should be able to select your server from the new tab menu and automatically be connected to an SSH session on your server. If you need to authenticate, a browser window will open to Cloudflare Access and request that you login.


In the steps above, we made cloudflared available as a system tool, amended the local SSH configuration to proxy commands through cloudflared for the appropriate hostname, then added a Windows Terminal profile to make the server even easier to access.