You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The config generated by cloudflared access ssh-config --short-lived-cert does not work when --hostname contains invalid characters. This prevents using the config directly for otherwise functional addresses like subdomain.example.com/ssh.
To Reproduce
Steps to reproduce the behavior:
Create tunnel in dashboard, set up cloudflared tunnel on SSH server side, etc.
Run cloudflared access ssh-config --hostname subdomain.example.com/ssh --short-lived-cert on client
The following config is generated:
Add to your /.ssh/config:
Match host subdomain.example.com/ssh exec "cloudflared access ssh-gen --hostname %h"
ProxyCommand cloudflared access ssh --hostname %h
IdentityFile ~/.cloudflared/%h-cf_key
CertificateFile ~/.cloudflared/%h-cf_key-cert.pub
Note the use of %h in IdentityFile and CertificateFile
3. Run ssh subdomain.example.com/ssh
This creates the files subdomain.example.com-ssh-{cf_key|cf_key.pub|cf_key-cert.pub}. Note that the forward slash has been converted to a hyphen.
4. ssh fails with the following error:
no such identity: <$HOME>/.cloudflared/subdomain.example.com/ssh-cf_key: No such file or directory
<$USER>@subdomain.example.com/ssh: Permission denied (publickey).
This is as expected, as %h = subdomain.example.com/ssh != subdomain.example.com-ssh.
Expected behavior
The config should point to the correct file, such that ssh is able to find the identity file and connect successfully. I propose that %h be substituted for the escaped value for the IdentityFile and CertificateFile definitions (optionally, we could instead do this only when the hostname is found to contain invalid characters):
Add to your /.ssh/config:
Match host subdomain.example.com/ssh exec "cloudflared access ssh-gen --hostname %h"
ProxyCommand cloudflared access ssh --hostname %h
IdentityFile ~/.cloudflared/subdomain.example.com-ssh-cf_key # replace here
CertificateFile ~/.cloudflared/subdomain.example.com-ssh-cf_key-cert.pub # and here
This is my current workaround, and I can confirm that ssh access works fine in this case.
Environment and versions
OS: Windows 10 22H2 (build 19045.2604)
Architecture: 64-bit Intel
Version: cloudflared version 2023.3.1 (built 2023-03-13-1453 UTC)
The text was updated successfully, but these errors were encountered:
Describe the bug
The config generated by
cloudflared access ssh-config --short-lived-cert
does not work when--hostname
contains invalid characters. This prevents using the config directly for otherwise functional addresses likesubdomain.example.com/ssh
.To Reproduce
Steps to reproduce the behavior:
cloudflared tunnel
on SSH server side, etc.cloudflared access ssh-config --hostname subdomain.example.com/ssh --short-lived-cert
on clientThe following config is generated:
Note the use of
%h
in IdentityFile and CertificateFile3. Run
ssh subdomain.example.com/ssh
This creates the files
subdomain.example.com-ssh-{cf_key|cf_key.pub|cf_key-cert.pub}
. Note that the forward slash has been converted to a hyphen.4.
ssh
fails with the following error:This is as expected, as
%h
=subdomain.example.com/ssh
!=subdomain.example.com-ssh
.Expected behavior
The config should point to the correct file, such that ssh is able to find the identity file and connect successfully. I propose that
%h
be substituted for the escaped value for the IdentityFile and CertificateFile definitions (optionally, we could instead do this only when the hostname is found to contain invalid characters):This is my current workaround, and I can confirm that ssh access works fine in this case.
Environment and versions
The text was updated successfully, but these errors were encountered: