SSH with short lived certificates: "invalid character '<' looking for beginning of value"

I’ve set up cloudflare SSH with short lived certificates today. Seems to work. But when I ssh from the command line, the first line of output on the command line is occasionally:

“invalid character ‘<’ looking for beginning of value”

It doesn’t actually cause a problem – the ssh session works afterward. But it seems suspicious.

It’s intermittent. Happens perhaps 1 in 10 attempts or so.

Anyone else experiencing this? Seems like a bug somewhere in cloudflare’s infrastructure.

It may be worth doing an SSH connection with the -v

It may help indicate where this flag is coming from.

EG:

ssh -v [email protected]_ADDRESS

I haven’t heard or seen something inside the Cloudflare network to indicate an ever-reaching issue.

Not much more informative, unfortunately.

% ssh -v [redacted1]

OpenSSH_8.1p1, LibreSSL 2.7.3

debug1: Reading configuration data /Users/[redacted2]/.ssh/config

debug1: /Users/[redacted2]/.ssh/config line 14: Applying options for [redacted1]

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 47: Applying options for *

debug1: Executing proxy command: exec bash -c ‘/opt/homebrew/bin/cloudflared access ssh-gen --hostname [redacted3]; ssh -tt [redacted4]@cfpipe-[redacted3] >&2 <&1’

debug1: identity file /Users/[redacted2]/.ssh/id_rsa type 0

debug1: identity file /Users/[redacted2]/.ssh/id_rsa-cert type -1

debug1: identity file /Users/[redacted2]/.ssh/id_dsa type -1

debug1: identity file /Users/[redacted2]/.ssh/id_dsa-cert type -1

debug1: identity file /Users/[redacted2]/.ssh/id_ecdsa type -1

debug1: identity file /Users/[redacted2]/.ssh/id_ecdsa-cert type -1

debug1: identity file /Users/[redacted2]/.ssh/id_ed25519 type -1

debug1: identity file /Users/[redacted2]/.ssh/id_ed25519-cert type -1

debug1: identity file /Users/[redacted2]/.ssh/id_xmss type -1

debug1: identity file /Users/[redacted2]/.ssh/id_xmss-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_8.1

invalid character ‘<’ looking for beginning of value

A browser window should have opened at the following URL:

It seems that it’s the “cloudflared access ssh-gen --hostname [redacted1]” command that’s outputting “invalid character ‘<’ looking for beginning of value”. When I invoke it directly, it occasionally is outputting “invalid character ‘<’ looking for beginning of value”.

Is there a way to increase the verbosity of the logging on the “cloudflared access…” command?

@MoreHelp could you take a look?

You may get some more useful output with ssh -vv. It seems like something isn’t escaping correctly in the configuration. If you could provide the redacted output for ssh -vv when you are able to replicate that may provide the information needed here.

You can also add --loglevel debug to your cloudflared access command to get the debug output.

ssh -vv seems like it’s barking up the wrong tree. I can reproduce the problem when I invoke cloudflared directly.

I’ve tried loglevel trace and loglevel debug. Neither gives additional output.

bash-3.2$ cloudflared --loglevel debug access ssh-gen --hostname [redacted1]
invalid character ‘<’ looking for beginning of value

bash-3.2$ cloudflared --loglevel trace access ssh-gen --hostname [redacted1]
invalid character ‘<’ looking for beginning of value

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.