I have different username on Linux server with the Cloudflare Access user email prefix. I followed the setup guide (https://developers.cloudflare.com/cloudflare-one/identity/users/short-lived-certificates) to configure the principals in the server, and is able to connect in local terminal using cloudflared.
However, in the browser-rendered terminal, the short-lived certificates authentication will only be used once right after the page is load ( after user authenticated), it will automatically use user’s email prefix as username and fails as expected. Then, the browser page asked user to provide a username to login, but it will not try short-lived certificate again with the provided username again, but prompt user to enter credential.
It is a bad design because that makes the browser-rendered terminal useless if the user’s Linux username is not the same as their email prefix.
There is a section on the docs for having different usernames
Advanced setup: Differing usernames
1 Like
I have followed this section, and is able to get different username working in CLI via cloudflared, but not using the browser rendered terminal. That is the problem.
What does the Match user section of your /etc/ssh/sshd_config file look like?
I have the same issue. In my /etc/ssh/sshd_config I have (usernames changed to be more clear):
Match user linuxuser
AuthorizedPrincipalsCommand echo ‘emailprefix’
AuthorizedPrincipalsCommandUser nobody
In my auth.log I just get “Invalid user emailprefix from ::1”
Using cloudflared I don’t have this issue because I just specify linuxuser in the ssh command line.
1 Like
I’m having the same issue. If I add a linux user matching my Cloudflare login e-mail prefix browser access works fine. I can not log in as another user like I can with cloudflared. I’m testing with the following in my sshd_config
/etc/ssh/sshd_config
AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals"
AuthorizedPrincipalsCommandUser nobody
1 Like