Getting current Zero Trust user from a SSH session via Tunnel

I’ve been using Cloudflare Tunnels to SSH from my machine to a server, with the cloudflared approach described here: SSH · Cloudflare Zero Trust docs

Everything is working fine. When I try to SSH into my server, the browser opens, I authenticate myself through Cloudflare Zero Trust ([email protected]) and then the SSH connection is established.

Now, let’s say that I’m trying to connect to my SSH server using the user luis, as in ssh -i key.pem [email protected]. Let’s also say that, via /etc/passwd I defined that the “shell” for luis is a custom script called myscript.sh.

I’ve been successfully doing that for a while now too, but the question is: In myscript.sh, how could I get from Cloudflare which Zero Trust user is SSHing into the server? That is, how could myscript.sh know that the user authenticated via Zero Trust is in fact [email protected]?

Unless you are using short-lived certificates - which will always ensure that the username of the email address will match the username in Linux operating system, I don’t think the conventional method will allow Cloudflare to pass the authenticated user information to the tunnel that eventually passes to your custom script.

Since this isn’t an HTTP connection their are no passed headers.

I mean, you could run whoami but thats obvious?

Otherwise, I’d defer to the Access Logs on who is connecting. ZT Dash → Logs → Access

Would you know if I could then cross reference the Access Logs from ZT Dash with a specific SSH session established through cloudflared joining both of them on a id/token of some sort?