cloudflare
Better way to connect with short-lived certs
Currently running cloudflared access ssh-config --hostname mysite.app --short-lived-cert generates a configuration like this:
Host mysite.app
ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %[email protected] >&2 <&1'
Host cfpipe-mysite.app
HostName mysite.app
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
IdentityFile ~/.cloudflared/mysite.app-cf_key
CertificateFile ~/.cloudflared/mysite.app-cf_key-cert.pub
The problem with this configuration is that it break scp (which instead opens a shell), as well as any other flags passed to ssh.
A better solution would be to generate a config like this:
Match host mysite.app exec "/usr/local/bin/cloudflared access ssh-gen --hostname %h"
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
IdentityFile ~/.cloudflared/mysite.app-cf_key
CertificateFile ~/.cloudflared/mysite.app-cf_key-cert.pub
Much simpler and works exactly as expected
That is a pretty neat solution.
You can even make the config dynamic that way:
Match host *.mydomain.com exec "/usr/local/bin/cloudflared access ssh-gen --hostname %h"
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
IdentityFile ~/.cloudflared/%h-cf_key
CertificateFile ~/.cloudflared/%h-cf_key-cert.pub
how do you give an alias to the host with this configuration? Match host only seems to accept FQDNs so Match host example,ssh.example.com doesn't work, and this doesn't trigger the Match host:
Host example
Host ssh.example.com
edit: it works if i put the Host before the Match host:
Host example
HostName ssh.example.com
Match host ssh.example.com exec "cloudflared access ssh-gen --hostname %h"
ProxyCommand cloudflared access ssh --hostname %h
IdentityFile ~/.cloudflared/%h-cf_key
CertificateFile ~/.cloudflared/%h-cf_key-cert.pub
