Issue using browser rendered SSH through CF Tunnel

What is the name of the domain?

example.com

What is the error number?

N/A

What is the error message?

An unexpected error has occurred. Our team has been notified.

What is the issue you’re encountering

When attempting to access ssh.example.com on my domain – which USED to work – I am not being met with this error

What steps have you taken to resolve the issue?

I have attempted to recreate the subdomain + access policy, to no avail. This was working for some time, and stopped working seemingly with no intervention

What are the steps to reproduce the issue?

  1. Visit ssh.mydomain.com
  2. Login with Google
  3. See error: An unexpected error has occurred. Our team has been notified.
2 Likes

I’m also seeing the same behavior since a couple of days without any change on my side, everything else (http tunnels) is working through the tunnel

1 Like

just to add: no messages are shown on cloudflared logs

I have figured it out.
It turns out, at least in my case, the openssh version of the host I’m connecting to (qnap nas) was updated to Openssh 9.8p1 and it deprecated many “HostKeyAlgorithm”, the only supported ones by default are now rsa-sha2-256 and rsa-sha2-512.
Cloudflare browser rendered SSH does not support those two algorithms, so the connection drops imediately failing negotiation.
As a workaround, I had to re-enable some legacy HostKeyAlgorithms in my server sshd_config (cloudflare offered: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],ssh-ed25519,ssh-rsa) and now the connection is working again.
It works as a temporary workaround, but I think Cloudflare browser SSH should start supporting the two additional key host types if those are now default: rsa-sha2-256 and rsa-sha2-512

1 Like