cloudflared icon indicating copy to clipboard operation
cloudflared copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Fix ssh-config short-lived-cert for subpath-ed hostnames

Open jeslinmx opened this issue 2 years ago • 3 comments

Fixes https://github.com/cloudflare/cloudflared/issues/923

jeslinmx avatar Apr 04 '23 05:04 jeslinmx

Is this subject to a race condition when configuring a host name like "*.mycompany.com"? I think connecting to two hosts at the same time with this patch could cause the wrong cert to be used.

ajvpot avatar Dec 14 '23 17:12 ajvpot

Sorry, but I don't think I understand the potential problem you're describing. Could you give an example of 2 hostnames that might create such a clash?

jeslinmx avatar Dec 18 '23 07:12 jeslinmx

Sure, In this case I have configured access like so:

alex@Alexs-MacBook-Pro> cloudflared access ssh-config --hostname '*.mycorp.com' --short-lived-cert
Add to your /Users/alex/.ssh/config:

Match host *.mycorp.com exec "/Users/alex/bin/cloudflared access ssh-gen --hostname %h"
  ProxyCommand /Users/alex/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/%h-cf_key
  CertificateFile ~/.cloudflared/%h-cf_key-cert.pub

After this change the config would be:

Match host *.mycorp.com exec "/Users/alex/bin/cloudflared access ssh-gen --hostname %h"
  ProxyCommand /Users/alex/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/*.mycorp.com-cf_key
  CertificateFile ~/.cloudflared/*.mycorp.com-cf_key-cert.pub

Which may cause problems when SSHing to multiple hosts that match that pattern and use different SSH CA public keys at the same time.

ajvpot avatar Dec 19 '23 21:12 ajvpot