Hello everyone.
We started using Cloudflares Cloudflare Tunnel to secure SSH Access to our servers a couple of months ago and are very happy with it. Now we want to take the security to the next level and also use the short lived cert feature (SSH with short-lived certificates · Cloudflare Zero Trust docs).
Here is what all of our Admins had in their .ssh/config (Notice the *.. So it applies to all of our servers with one entry in the ssh config) so far (without short lived certs. Access with user “root” and public key auth.):
Host *.<domain>
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
ControlMaster auto
ControlPath /tmp/ssh-%r@%h:%p
ControlPersist 600
User root
Now we have a couple of hundred servers and it would be kind of annoying to add all of the following > 400 times in the .ssh/config file… (It’s the output from “cloudflared access ssh-config --hostname test. --short-lived-cert”)
Host test.<hostname>
ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %r@cfpipe-test.<hostname> >&2 <&1'
Host cfpipe-test.<hostname>
HostName test.<hostname>
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
IdentityFile ~/.cloudflared/test.<hostname>-cf_key
CertificateFile ~/.cloudflared/test.<hostname>-cf_key-cert.pub
So I just want to know if it is possible to have “one” config and then be able to connect to all of the servers.
Thanks all.
Best
Rick