We started using Cloudflares Argo Tunnel to secure SSH Access to our servers a couple of months ago and are very happy with it. Now we want to take the security to the next level and also use the short lived cert feature (https://developers.cloudflare.com/access/ssh/short-live-cert-server/).
Here is what all of our Admins had in their .ssh/config (Notice the *.. So it applies to all of our servers with one entry in the ssh config) so far (without short lived certs. Access with user “root” and public key auth.):
Host *.<domain> ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h ControlMaster auto ControlPath /tmp/ssh-%[email protected]%h:%p ControlPersist 600 User root
Now we have a couple of hundred servers and it would be kind of annoying to add all of the following > 400 times in the .ssh/config file… (It’s the output from “cloudflared access ssh-config --hostname test. --short-lived-cert”)
Host test.<hostname> ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %[email protected]<hostname> >&2 <&1' Host cfpipe-test.<hostname> HostName test.<hostname> ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h IdentityFile ~/.cloudflared/test.<hostname>-cf_key CertificateFile ~/.cloudflared/test.<hostname>-cf_key-cert.pub
So I just want to know if it is possible to have “one” config and then be able to connect to all of the servers.