Browser-rendered SSH terminal issue

Zero Trust Access
1

I have different username on Linux server with the Cloudflare Access user email prefix. I followed the setup guide (https://developers.cloudflare.com/cloudflare-one/identity/users/short-lived-certificates) to configure the principals in the server, and is able to connect in local terminal using cloudflared.

However, in the browser-rendered terminal, the short-lived certificates authentication will only be used once right after the page is load ( after user authenticated), it will automatically use user’s email prefix as username and fails as expected. Then, the browser page asked user to provide a username to login, but it will not try short-lived certificate again with the provided username again, but prompt user to enter credential.

It is a bad design because that makes the browser-rendered terminal useless if the user’s Linux username is not the same as their email prefix.

2

There is a section on the docs for having different usernames

Advanced setup: Differing usernames

1 Like
3

I have followed this section, and is able to get different username working in CLI via cloudflared, but not using the browser rendered terminal. That is the problem.

4

What does the Match user section of your /etc/ssh/sshd_config file look like?

5

I have the same issue. In my /etc/ssh/sshd_config I have (usernames changed to be more clear):

Match user linuxuser
AuthorizedPrincipalsCommand echo ‘emailprefix’
AuthorizedPrincipalsCommandUser nobody

In my auth.log I just get “Invalid user emailprefix from ::1”

Using cloudflared I don’t have this issue because I just specify linuxuser in the ssh command line.

1 Like
7

I’m having the same issue. If I add a linux user matching my Cloudflare login e-mail prefix browser access works fine. I can not log in as another user like I can with cloudflared. I’m testing with the following in my sshd_config

/etc/ssh/sshd_config

AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals"
AuthorizedPrincipalsCommandUser nobody
1 Like
8

Just another me too. I have the same problem. I cannot log into another user even following the instructions.

9

This is why I signed up on the community. I fought this for most of today and like you, I can can use short lived certificate authentication with cloudflared and warp, but I’d very much like to ssh as root into a few instances.

The issue is pretty obviously that with cloudflared and warp the username is provided in the ssh [email protected]

It would be great if there was a “Prompt for username.” Setting for web ssh …

CleanShot 2023-03-28 at 23.45.55@2x
CleanShot 2023-03-28 at 23.45.55@2x1416×370 88.5 KB

Fingers crossed.

1 Like
11

My ADHD brain was bothered by the UX here. The “Prompt for username” should be “Prompt for SSH username in browser” and come under the “Browser rendering” selection …

CleanShot 2023-03-29 at 13.00.23@2x
CleanShot 2023-03-29 at 13.00.23@2x1690×548 60.3 KB

@otto better? BTW where would a feature request like this go? Since I’m on free and not PAYGO, it’s not something I can shoot to support … aaaannnd I just found Feedback. In my defense, I was looking for a “Feature Request” form ¯\_(ツ)_/¯