cloudflared icon indicating copy to clipboard operation
cloudflared copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

🐛 Unix Usernames / SSO Identities Mismatch: `sshd_config` Configuration not Working

Open michaelweinold opened this issue 2 years ago • 8 comments

Describe the bug

After following the setup instructions "Advanced setup: Differing usernames", I can only log into my server as the user corresponding to the email address prefix used for authentication. (using [email protected] for authentication only allows me to log in as michael@myserver, not as e.g. admin@myserver).

To Reproduce

Steps to reproduce the behavior:

  1. Follow the setup instructions "Connect with SSH through Cloudflare Tunnel"
  2. See error
  3. Tunnel ID : 22706c82-38da-4845-a7d1-c0a1bb3bf18d
  4. cloudflared config: N/A (set up tunnel through dashboard, not manually on the server)

Expected behavior

After following the setup instructions "Advanced setup: Differing usernames", I expect to be able to log into my server as an arbitrary user, irregardless of my email address prefix.

Environment and versions

  • OS: Raspbian GNU/Linux 10 (buster)
  • Architecture: armv7l (Cortex-A53)
  • Version: 5.10.103-v7+

Logs and errors

sshd_config.txt var_log_auth_log.log cloudflared_config_yaml.txt

Additional context

I am running a cloudflared tunnel on a Raspberry Pi. I have used an SSH application set up with a one-time-pin email access policy to access the terminal through my browser. I followed the instructions to use short-lived certificates for authentication. However, I am tring to log on as user pi when my authentication email is [email protected]. I followed the relevant setup instructions here: "Advanced setup: Differing usernames" to edit my sshd_config, but this still only allows me to log on as user michael and not as user pi.

sshd_config (compare also attached file)

PubkeyAuthentication yes
TrustedUserCAKeys /etc/ssh/ca.pub

(...)

Match user pi
   AuthorizedPrincipalsCommand echo 'john'
   AuthorizedPrincipalsCommandUser nobody

/var/log/auth.log (compare also attached file):

Jan 15 08:55:10 MyRaspberryPi ssh [19217]: Accepted publickey for michaelfrom ::1 port 33284 ssh2: ECDSA-CERT SHA256: (...) ID (...) (serial (...)) CA ECDSA SHA256: (...)

michaelweinold avatar Jan 15 '23 08:01 michaelweinold

Unfortunately this is not enough information to go by.

what is the behaviour?

you say error but I don’t see any error messages in this issue. Also, please share your sshd_config etc.

sudarshan-reddy avatar Jan 15 '23 08:01 sudarshan-reddy

what is the behaviour? you say error but I don’t see any error messages in this issue. Also, please share your sshd_config etc.

Thank you, @sudarshan-reddy for the quick reply. I have done my best to clarify the issue. Please compare the updated issue description and the attached files.

michaelweinold avatar Jan 16 '23 17:01 michaelweinold

@sudarshan-reddy, has the additional information been helpful? Is this something that should be opened as an issue related to the documentation over at cloudflare-docs, rather than here in the cloudflared repo?

michaelweinold avatar Jan 25 '23 07:01 michaelweinold

@sudarshan-reddy, any update on this? Compare also this discussion and this discussion on community.cloudflare.com.

michaelweinold avatar Feb 18 '23 06:02 michaelweinold

@michaelweinold you need to set the full path for echo:

Match user 'pi'
  AuthorizedPrincipalsCommand /bin/echo 'michael'
  AuthorizedPrincipalsCommandUser nobody

Does this help?

deansundquist avatar Jul 07 '23 03:07 deansundquist

No, it does not work...

Leask avatar Jul 08 '23 19:07 Leask

If you are using cloudflares browser based terminal, then using the different usernames feature will not work. Only works from a ssh client connection setup with the proper ssh_config using cloudflared process and access command. https://github.com/cloudflare/cloudflare-docs/issues/6849#issuecomment-1433773652

glennschler avatar Jul 08 '23 20:07 glennschler

As @glennschler points out, there is an issue with browser based ssh rendering when the IDP username is not available on the target server, even with the user name remapping as documented by cloudflare. The issue title says it all :)

Mar 12 23:13:28 SERVERNAME sshd[648416]: Invalid user <IDP_USER> from 127.0.0.1 port 53358
Mar 12 23:13:28 SERVERNAME sshd[648416]: error: Received disconnect from 127.0.0.1 port 53358:13: Goodbye! [preauth]
Mar 12 23:13:28 SERVERNAME sshd[648416]: Disconnected from invalid user <IDP_USER> 127.0.0.1 port 53358 [preauth]
Mar 12 23:13:40 SERVERNAME sshd[648418]: Connection closed by 127.0.0.1 port 53374 [preauth]

Without this issue being resolved it's not possible to have a portable SSO based SSH access. The current functionality with the ssh client ties you to the host with cloudflared setup.

Hope some one looks into this sooner than later. Thanks!

arunura avatar Mar 12 '24 23:03 arunura