In one of the previous articles, I detailed how to ssh to any of your machines without port forwarding but instead make use of a secure cloudflare tunnel to do the job for you. It would be cool to integrate your Office 365 or Google email to authenticate and ssh as the user you want. It takes care of the ssh authentication and you do not have to bother entering the password/key each and every time you try to login when the tokens expire.
Scenario
I would use the web browser and navigate to the url(s) that I specified so that I get terminal(s) to the machine(s) on my web browser. The login workflow is simple yet secure and would leverage the SSO integration with AAD or Google to authenticate to the machines.
Details
Check out the previous article and setup the apps on CF Zero Trust dashboard and create the required tunnels.
An extra step here would be to edit the Authentication
methods for the apps and select the AAD and Google providers:
Let’s see in detail how to add the AAD and Google providers in the first place.
- On the Google Cloud project home page, go to
APIs & Services
on the sidebar. - Select
OAuth Consent Screen
on the left sidebar and create a consent screen. ChooseExternal
as the User Type. Give theApp name
, add aUser support email
, and input contact fields. Google Cloud Platform requires an email in your account. - On the
APIs & Services
page, on theCredentials
section of the sidebar, selectCreate Credentials
>OAuth client ID
, select the application type asWeb Application
, give it aName
. - For the
Authorized JavaScript origins
, in the URIs field, enter your team domain. Your team domain can be found in the Cloudflare Zero Trust dashboard, underSettings
>General
. - For
Authorized redirect URIs
, in the URIs field, enter your team domain with the path as follows:1
https://_your-team-name_.cloudflareaccess.com/cdn-cgi/access/callback
- Once the settings is
Create
d, google will provide the OAuth Client ID and Secret for you to add in the Cloudflare Zero Trust dashboard. - Navigate to Zero Trust dashboard , go to
Settings
>Authentication
. - Find the
Login Method
section andAdd new
and opt forGoogle
underSelect an identity provider
. - Feed in the Client ID and Secret that you obtained from the previous steps.
- Click
Save
- Verify the connection using the
Test
and you should get a success message from CF:
Identity provider added successfully
AAD
- Navigate to
App registrations
on the AAD portal. New Registration
then give aName
and chooseAccounts in this organizational directory only ( Single tenant)
For the
Redirect URI (optional)
, select the platform asWeb
and add the path as follows:Your team domain can be found in the Cloudflare Zero Trust dashboard, under
Settings
>General
.1
https://_your-team-name_.cloudflareaccess.com/cdn-cgi/access/callback
- Click
Register
- Copy the
Application (client) ID
andDirectory (tenant) ID
. You will need to input these values into the Cloudflare dashboard. - From the sidebar, select
Certificates & Secrets
and createNew client secret
. Select the expiration acccording to your policies or select the maximum of 24 months. - Copy the client secret
Value
provided by Microsoft. This will be displayed once by the portal. - From the sidebar, select
API Permissions
andAdd permission
then underMicrosoft APIs
tab, selectMicrosoft Graph
. Opt forDelegated Permissions
and choose the following scopes:- openid
- profile
- offline_access
- User.Read
- Directory.Read.All
- Group.Read.All
- If the
Grant admin console
is greyed out, contact the administrator as your org may be restricting it otherwise clickGrant Admin Consent for <org>
- Navigate to Zero Trust dashboard , go to
Settings
>Authentication
. - Find the
Login Method
section andAdd new
and opt forAzure AD
underSelect an identity provider
. - Feed in the
Application ID
,secret
, andDirectory ID
that you noted from the previous steps. - Click
Save
.
Local usernames and SSO identities
A user’s Unix username should match their email address prefix. The short-lived certificates from Cloudflare will be valid for the user’s email address prefix. If the user’s email is [email protected], they would log in to the SSH server as nevin. However, you can configure your SSH server daemon to accept principals that do not match the local username. So, for the email [email protected] to authenticate as the linux user nj, edit the ssh server, sshd_config
and add the following:
1
2
3
Match user 'nj'
AuthorizedPrincipalsCommand echo 'nevin'
AuthorizedPrincipalsCommandUser nobody
Public key
- Navigate to Zero Trust dashboard
- From the sidebar, select
Access
>Service Auth
. From theSSH
tab, in the dropdown, choose the application that represents the secured server/service. - Click
Generate certificate
and CF will provide you the pub key to be saved in the ssh config on your origin server. - On the origin server, create a key file, for example:
1
$ sudo nano /etc/ssh/cf-access.pub
- Paste the public key that you got from CF to the
cf-access.pub
and save the file. - Edit the SSH server config:
1
$ sudo nano /etc/ssh/sshd_config
- Uncomment
# PubkeyAuthentication yes
- Add the line
TrustedUserCAKeys /etc/ssh/cf-access.pub
- Restart the ssh server.
1
$ sudo systemctl restart ssh