Access browser-rendered SSH needs private key for reasons

Hi there,

Struggling to see what’s different about a newly created SSH Access/Zero Trust connection which seems to require a private key and doesn’t give password as an option. Have recreated from scratch and have ended up in the same place and can’t see any differences in the config or anyone else reporting the problem.

When logging into the page the CF authentication stage takes place and the local user you want to log in with is prompted for, but unlike the previously configured hosts the password tab is greyed out and the mouse cursor changed to a no entry sign when you hover over the button. If you fill in the password and not the private key box the screen says “Private key cannot be empty”. I have not tried to configure the short lived certificates from SSO option and don’t believe it’s that as the other hosts didn’t need that. Can log on to the SSH locally with just username/password and no key or certificate was required so not sure what this new behaviour relates to.

Thanks for any thoughts you may have.

Is this a recently spinned up host by any chance?
if it is can you check your sshd_config to see if PasswordAuthentication is set to yes?

Hi there,

Great yes changing this value has changed the behaviour thanks! Was indeed a freshly deployed ‘virtual appliance’ but the local ssh seems to allow normal username and password based login, with the same users that insist on private key when logging in via cloudflare access. I presume when they’ve configured the OS to be hardened as a single purpose appliance this was considered more secure or something.

Should the PasswordAuthentication setting in sshd_config be set to “yes” to allow CF access to log in users with just a user/password because it needs to be able to tunnel plaintext passwords for the purpose or something?

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no
#PermitEmptyPasswords no

It certainly works with it enabled, but at what cost I’m wondering. My other hosts didn’t have this set and I’m wondering what this new one had it set for. I read that challenge response is harder to automate than password authentication so presumably something to do with that.