Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 ssh-config w/ short-lived-cert thrown off by invalid characters in hostname #923

Open
jeslinmx opened this issue Mar 27, 2023 · 0 comments · May be fixed by #930
Open

🐛 ssh-config w/ short-lived-cert thrown off by invalid characters in hostname #923

jeslinmx opened this issue Mar 27, 2023 · 0 comments · May be fixed by #930
Labels
Area: Access Issue related with cloudflared access Priority: Normal Minor issue impacting one or more users Type: Bug Something isn't working

Comments

@jeslinmx
Copy link

jeslinmx commented Mar 27, 2023

Describe the bug
The config generated by cloudflared access ssh-config --short-lived-cert does not work when --hostname contains invalid characters. This prevents using the config directly for otherwise functional addresses like subdomain.example.com/ssh.

To Reproduce
Steps to reproduce the behavior:

  1. Create tunnel in dashboard, set up cloudflared tunnel on SSH server side, etc.
  2. Run cloudflared access ssh-config --hostname subdomain.example.com/ssh --short-lived-cert on client
    The following config is generated:
Add to your /.ssh/config:
Match host subdomain.example.com/ssh exec "cloudflared access ssh-gen --hostname %h"
  ProxyCommand cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/%h-cf_key
  CertificateFile ~/.cloudflared/%h-cf_key-cert.pub

Note the use of %h in IdentityFile and CertificateFile
3. Run ssh subdomain.example.com/ssh
This creates the files subdomain.example.com-ssh-{cf_key|cf_key.pub|cf_key-cert.pub}. Note that the forward slash has been converted to a hyphen.
4. ssh fails with the following error:

no such identity: <$HOME>/.cloudflared/subdomain.example.com/ssh-cf_key: No such file or directory
<$USER>@subdomain.example.com/ssh: Permission denied (publickey).

This is as expected, as %h = subdomain.example.com/ssh != subdomain.example.com-ssh.

Expected behavior
The config should point to the correct file, such that ssh is able to find the identity file and connect successfully. I propose that %h be substituted for the escaped value for the IdentityFile and CertificateFile definitions (optionally, we could instead do this only when the hostname is found to contain invalid characters):

Add to your /.ssh/config:
Match host subdomain.example.com/ssh exec "cloudflared access ssh-gen --hostname %h"
  ProxyCommand cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/subdomain.example.com-ssh-cf_key             # replace here
  CertificateFile ~/.cloudflared/subdomain.example.com-ssh-cf_key-cert.pub # and here

This is my current workaround, and I can confirm that ssh access works fine in this case.

Environment and versions

  • OS: Windows 10 22H2 (build 19045.2604)
  • Architecture: 64-bit Intel
  • Version: cloudflared version 2023.3.1 (built 2023-03-13-1453 UTC)
@jeslinmx jeslinmx added Priority: Normal Minor issue impacting one or more users Type: Bug Something isn't working labels Mar 27, 2023
@DevinCarr DevinCarr added the Area: Access Issue related with cloudflared access label Mar 29, 2023
jeslinmx added a commit to jeslinmx/cloudflared that referenced this issue Apr 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: Access Issue related with cloudflared access Priority: Normal Minor issue impacting one or more users Type: Bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants