Browser-rendered SSH terminal issue

I have different username on Linux server with the Cloudflare Access user email prefix. I followed the setup guide ( to configure the principals in the server, and is able to connect in local terminal using cloudflared.

However, in the browser-rendered terminal, the short-lived certificates authentication will only be used once right after the page is load ( after user authenticated), it will automatically use user’s email prefix as username and fails as expected. Then, the browser page asked user to provide a username to login, but it will not try short-lived certificate again with the provided username again, but prompt user to enter credential.

It is a bad design because that makes the browser-rendered terminal useless if the user’s Linux username is not the same as their email prefix.

There is a section on the docs for having different usernames

Advanced setup: Differing usernames

1 Like

I have followed this section, and is able to get different username working in CLI via cloudflared, but not using the browser rendered terminal. That is the problem.

What does the Match user section of your /etc/ssh/sshd_config file look like?

I have the same issue. In my /etc/ssh/sshd_config I have (usernames changed to be more clear):

Match user linuxuser
AuthorizedPrincipalsCommand echo ‘emailprefix’
AuthorizedPrincipalsCommandUser nobody

In my auth.log I just get “Invalid user emailprefix from ::1”

Using cloudflared I don’t have this issue because I just specify linuxuser in the ssh command line.

1 Like

I’m having the same issue. If I add a linux user matching my Cloudflare login e-mail prefix browser access works fine. I can not log in as another user like I can with cloudflared. I’m testing with the following in my sshd_config


AuthorizedPrincipalsCommand /bin/bash -c "echo '%t %k' | ssh-keygen -L -f - | grep -A1 Principals"
AuthorizedPrincipalsCommandUser nobody
1 Like

Just another me too. I have the same problem. I cannot log into another user even following the instructions.

This is why I signed up on the community. I fought this for most of today and like you, I can can use short lived certificate authentication with cloudflared and warp, but I’d very much like to ssh as root into a few instances.

The issue is pretty obviously that with cloudflared and warp the username is provided in the ssh [email protected]

It would be great if there was a “Prompt for username.” Setting for web ssh …

Fingers crossed.

1 Like

My ADHD brain was bothered by the UX here. The “Prompt for username” should be “Prompt for SSH username in browser” and come under the “Browser rendering” selection …

@otto better? BTW where would a feature request like this go? Since I’m on free and not PAYGO, it’s not something I can shoot to support … aaaannnd I just found Feedback. In my defense, I was looking for a “Feature Request” form ¯\_(ツ)_/¯