Getting current Zero Trust user from a SSH session via Tunnel

I’ve been using Cloudflare Tunnels to SSH from my machine to a server, with the cloudflared approach described here: SSH · Cloudflare Zero Trust docs

Everything is working fine. When I try to SSH into my server, the browser opens, I authenticate myself through Cloudflare Zero Trust ([email protected]) and then the SSH connection is established.

Now, let’s say that I’m trying to connect to my SSH server using the user luis, as in ssh -i key.pem [email protected]. Let’s also say that, via /etc/passwd I defined that the “shell” for luis is a custom script called myscript.sh.

I’ve been successfully doing that for a while now too, but the question is: In myscript.sh, how could I get from Cloudflare which Zero Trust user is SSHing into the server? That is, how could myscript.sh know that the user authenticated via Zero Trust is in fact [email protected]?

Unless you are using short-lived certificates - which will always ensure that the username of the email address will match the username in Linux operating system, I don’t think the conventional method will allow Cloudflare to pass the authenticated user information to the tunnel that eventually passes to your custom script.

1 Like

Since this isn’t an HTTP connection their are no passed headers.

I mean, you could run whoami but thats obvious?

Otherwise, I’d defer to the Access Logs on who is connecting. ZT Dash → Logs → Access

Would you know if I could then cross reference the Access Logs from ZT Dash with a specific SSH session established through cloudflared joining both of them on a id/token of some sort?