I have different username on Linux server with the Cloudflare Access user email prefix. I followed the setup guide (https://developers.cloudflare.com/cloudflare-one/identity/users/short-lived-certificates) to configure the principals in the server, and is able to connect in local terminal using cloudflared.
However, in the browser-rendered terminal, the short-lived certificates authentication will only be used once right after the page is load ( after user authenticated), it will automatically use userâs email prefix as username and fails as expected. Then, the browser page asked user to provide a username to login, but it will not try short-lived certificate again with the provided username again, but prompt user to enter credential.
It is a bad design because that makes the browser-rendered terminal useless if the userâs Linux username is not the same as their email prefix.
I have followed this section, and is able to get different username working in CLI via cloudflared, but not using the browser rendered terminal. That is the problem.
Iâm having the same issue. If I add a linux user matching my Cloudflare login e-mail prefix browser access works fine. I can not log in as another user like I can with cloudflared. Iâm testing with the following in my sshd_config
This is why I signed up on the community. I fought this for most of today and like you, I can can use short lived certificate authentication with cloudflared and warp, but Iâd very much like to ssh as root into a few instances.
The issue is pretty obviously that with cloudflared and warp the username is provided in the ssh [email protected]
It would be great if there was a âPrompt for username.â Setting for web ssh âŚ
My ADHD brain was bothered by the UX here. The âPrompt for usernameâ should be âPrompt for SSH username in browserâ and come under the âBrowser renderingâ selection âŚ
@otto better? BTW where would a feature request like this go? Since Iâm on free and not PAYGO, itâs not something I can shoot to support ⌠aaaannnd I just found Feedback. In my defense, I was looking for a âFeature Requestâ form ÂŻ\_(ă)_/ÂŻ