Onion Information

Page Clicks: 0

First Seen: 04/26/2024

Last Indexed: 10/23/2024

Domain Index Total: 151

A quick quide to SSH certificate without using an identity provider. Introduction Prerequisites Cloudflare Zero Trust Add an application Generate a CA certificate Create a tunnel Start SSH server Create a test user Matching email to different username AuthorizedPrincipalsFile Browser-based shell Usage monitoring Inspect user certificate This article provides a quick-start guide to SSH certificate using Cloudflare Tunnel. More information can be found in the official docs. Public keys are not enough for SSH security SSH with short-lived certificates Configure short-lived certificates Self-hosted applications Connect with SSH through Cloudflare Tunnel Introduction § One unpleasant task I had previously in an enterprise with Linux servers was SSH key management, specifically checking the SSH public keys of departed staff have been removed from the Ansible config. Then I learned from this article that it is possible to SSH using a short-lived ( &2 <&1' Host cfpipe-test.yourdomain.com HostName test.yourdomain.com ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h IdentityFile ~/.cloudflared/test.yourdomain.com-cf_key CertificateFile ~/.cloudflared/test.yourdomain.com-cf_key-cert.pub Save the output to $HOME/.ssh/config . Now, the moment of truth. ssh loremipsum@test.yourdomain.com (replace the username with the one you created in Create a test user step.) The terminal should launch a website to team-name .cloudflareaccess.com. Enter the email you configured in Add an application step and then enter the received 6-digit PIN. Back to the terminal, wait for at least 5 seconds and you should see the usual SSH authentication. You may wondering why you still see fingerprint warning, I find this article SSH Best Practices using Certificates, 2FA and Bastions explains it well. Browser-based shell § As a bonus, head to test.yourdomain.com (see Add an application step) which will redirect you to a login page just the previous step. After login with a 6-digit PIN, you shall see a browser-based shell. Usage monitoring § Head to Settings → Account to monitor how many users you have, each email address you configured to receive one-time PIN is counted as one user. To delete user(s), head to Users , tick the relevant users, Update status and then Remove . The seat usage column should show Inactive . Inspect user certificate § ssh-keygen -L -f ~/.cloudflared/test.yourdomain.com-cf_key-cert.pub