SSH Hostname Wildcard policies

I’m in the process of setting up and using cloudflare access for SSH connections to infrastructure. I would like to name hosts and connect to them via hostnames like server2.production.ssh.example.com or server512.dev.ssh.example.com and then gate ssh via access policies scoped to .production.ssh.example.com or *.ssh.example.com

It instead appears that I can use only one subdomain string (ie, server2-production-ssh.example.com) and that Cloudflare Access “Applications” have to be created on a per-FQDN basis (one for server1-production-ssh.example.com, another for server2-production-ssh.example.com, etc). Is my understanding correct? (because five hundred applications, one for each ssh server, seems a bit much).

I realize that the intention is probably to deploy all of this with something like Terraform, but it’s difficult to reason about and difficult to scale eyeballs when looking at deployed policies, or accurately reason about said policies, when there’s hundreds of apps in the cloudflare access dashboard. Am I missing something?

Additionally, is it at all possible to add wildcard hostname configs to ~/.ssh/config when using short-lived certificates? don’t (yet) know enough about SSH config syntax to be able to wildcard things into the cfpip-hostname.example.com stanzas. (especially since each hostname will again have its own shortlived cert name)

Here’s a sample ssh configuration for one server (using short-lived certs); according to the docs, I’d need to do this five hundred times for each server I needed ssh access to; I can’t believe that to be true:

Host cloudflaretest1.example.com
  ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %[email protected] >&2 <&1'

Host cfpipe-cloudflaretest1.example.com
  HostName cloudflaretest1.example.com
  ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/cloudflaretest1.example.com-cf_key
  CertificateFile ~/.cloudflared/cloudflaretest1.example.com-cf_key-cert.pub

Unless you’re on an Enterprise plan that can proxy a wildcard, I can’t imagine a way you could SSH to a wildcard subdomain here. And considering that your hostnames are pretty deep in subdomain territory, you’d most likely need ACM to handle certs for those hostnames.

The only person I know of who could come close to answering stuff like this is @cs-cf. I think @SamRhea also works on this.

SSH conf supports regex so on the client side in this scenario it sounds like the client could be configured pretty simply. On the Cloudflare side see https://blog.cloudflare.com/access-wildcard-subdomain

Would you need 500 DNS entries if not on an ENT plan? Sure… but since no one is spinning up 500 hosts without automation, Terraform or the json based api endpoint would be in play I imagine.

2 Likes

This topic was automatically closed after 31 days. New replies are no longer allowed.