Skip to content

🐛 ssh-config w/ short-lived-cert thrown off by invalid characters in hostname #923

New issue
New issue
Open
#930
Open
🐛 ssh-config w/ short-lived-cert thrown off by invalid characters in hostname#923
#930
Labels
Area: AccessIssue related with cloudflared accessPriority: NormalMinor issue impacting one or more usersType: BugSomething isn't working
@jeslinmx

Description

@jeslinmx
jeslinmx
opened on Mar 27, 2023

Describe the bug
The config generated by cloudflared access ssh-config --short-lived-cert does not work when --hostname contains invalid characters. This prevents using the config directly for otherwise functional addresses like subdomain.example.com/ssh.

To Reproduce
Steps to reproduce the behavior:

  1. Create tunnel in dashboard, set up cloudflared tunnel on SSH server side, etc.
  2. Run cloudflared access ssh-config --hostname subdomain.example.com/ssh --short-lived-cert on client
    The following config is generated:
Add to your /.ssh/config:
Match host subdomain.example.com/ssh exec "cloudflared access ssh-gen --hostname %h"
  ProxyCommand cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/%h-cf_key
  CertificateFile ~/.cloudflared/%h-cf_key-cert.pub

Note the use of %h in IdentityFile and CertificateFile
3. Run ssh subdomain.example.com/ssh
This creates the files subdomain.example.com-ssh-{cf_key|cf_key.pub|cf_key-cert.pub}. Note that the forward slash has been converted to a hyphen.
4. ssh fails with the following error:

no such identity: <$HOME>/.cloudflared/subdomain.example.com/ssh-cf_key: No such file or directory
<$USER>@subdomain.example.com/ssh: Permission denied (publickey).

This is as expected, as %h = subdomain.example.com/ssh != subdomain.example.com-ssh.

Expected behavior
The config should point to the correct file, such that ssh is able to find the identity file and connect successfully. I propose that %h be substituted for the escaped value for the IdentityFile and CertificateFile definitions (optionally, we could instead do this only when the hostname is found to contain invalid characters):

Add to your /.ssh/config:
Match host subdomain.example.com/ssh exec "cloudflared access ssh-gen --hostname %h"
  ProxyCommand cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/subdomain.example.com-ssh-cf_key             # replace here
  CertificateFile ~/.cloudflared/subdomain.example.com-ssh-cf_key-cert.pub # and here

This is my current workaround, and I can confirm that ssh access works fine in this case.

Environment and versions

  • OS: Windows 10 22H2 (build 19045.2604)
  • Architecture: 64-bit Intel
  • Version: cloudflared version 2023.3.1 (built 2023-03-13-1453 UTC)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Area: AccessIssue related with cloudflared accessPriority: NormalMinor issue impacting one or more usersType: BugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions