cloudflared
cloudflared copied to clipboard
cloudflare
Can't connect via short lived certificate to ssh tunnel on windows
Describe the bug My ssh tunnel is running via cloudflared on a ubuntu server. it's at ssh.mydomain.com
I downloaded cloudflared binary on windows and added it to path. According to instructions from here. https://developers.cloudflare.com/cloudflare-one/identity/users/short-lived-certificates
This command
cloudflared access ssh-config --hostname ssh.mydomain.com --short-lived-cert
gave me the following config to add to my ssh config..
Host ssh.mydomain.com
ProxyCommand bash -c 'cloudflared access ssh-gen --hostname %h; ssh -tt %[email protected] >&2 <&1'
Host cfpipe-ssh.mydomain.com
HostName ssh.mydomain.com
ProxyCommand cloudflared access ssh --hostname %h
IdentityFile ~/.cloudflared/ssh.mydomain.com-cf_key
CertificateFile ~/.cloudflared/ssh.mydomain.com-cf_key-cert.pub
After adding that to config, and running the following command
ssh ssh.mydomain.com
It just gets stuck at terminal with no response or error.
Now I have several doubts,
- this extra cfpipe-ssh.mydomain.com domain, do I need to create an entry for it in my Cloudflare dashboard.?
- this ssh config is using bash in the first part, which runs via WSL...can't I just use the native windows cloudflared binary for everything?
Expected behavior It should connect to my tunnel.
Environment and versions
- OS: Windows
- Architecture: x86 Ryzen 5 3550h
- Version: 2022.2.2
Okay so, i was getting the following error before,
ssh: Could not resolve hostname cfpipe-ssh.mydomain.com: Name or service not known
kex_exchange_identification: Connection closed by remote host
Then I added a CNAME entry in my DNS from cfpipe-ssh.mydomain.com pointing to ssh.mydomain.com
After which I got stuck at terminal without any output like I mentioned above.
Do I need to add any DNS entry for this cfpipe- ?
For starters, cfpipe-ssh.mydomain.com is not an "actual domain" but rather an alias. Really, it can be whatever you want:
Host lolwhat
HostName ssh.mydomain.com
Running ssh lolwhat would, in this case, be equivalent to ssh.mydomain.com. In the case of cfpipe-ssh.mydomain.com, your doing the same thing, just with some extra options.
Second, yes, but you need to edit the config. I'm not sure why but the windows binary spits out a Linux config. I have had success with this ssh config for Windows:
#Host ssh.mydomain.com
# ProxyCommand cmd /c "C:\path\to\cloudflared.exe access ssh-gen --hostname ssh.mydomain.com && ssh -tt [email protected]"
Host cfpipe-ssh.mydomain.com
HostName ssh.mydomain.com
ProxyCommand cloudflared access ssh --hostname ssh.mydomain.com
IdentityFile "C:\Users\Your Username\.cloudflared\ssh.mydomain.com-cf_key"
CertificateFile "C:\Users\Your Username\.cloudflared\ssh.mydomain.com-cf_key-cert.pub"
Notice that the first host is commented out. That's because I keep getting this when I try to use it:
Bad packet length 218783324.
ssh_dispatch_run_fatal: Connection to UNKNOWN port 65535: message authentication code incorrect
Instead you can run cmd /c "C:\path\to\cloudflared.exe access ssh-gen --hostname ssh.mydomain.com && ssh -tt [email protected]" by itself in a batch file or better yet, with its own custom config in Windows Terminal.
