SSH The Secure Shell Protocol (SSH) enables users to remotely access devices through the command line. With Cloudflare Zero Trust, you can make your SSH server available over the Internet without the risk of opening inbound ports on the server.

Cloudflare offers four ways to secure SSH:

SSH with Access for Infrastructure (recommended) Self-managed SSH keys Browser-rendered SSH terminal SSH with client-side cloudflared (legacy) For an overview of these connection options, refer to non-HTTP applications.

SSH with Access for Infrastructure (recommended) Access for Infrastructure provides granular control over how users can connect to your SSH servers. This feature uses the same deployment model as WARP-to-Tunnel but unlocks more policy options and command logging functionality.

Furthermore, Access for Infrastructure replaces traditional SSH keys with short-lived certificates issued to your users based on the token generated by their Access login. In traditional models, users generate an SSH keypair and administrators grant access to individual SSH servers by deploying their users' public keys to those servers. These SSH keys can remain unchanged on these servers for months or years. Cloudflare Access removes the burden of managing SSH keys, while also improving security by replacing long-lived SSH keys with ephemeral SSH certificates.

1. Connect the server to Cloudflare Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network. In the Private Networks tab for the tunnel, enter the IP or CIDR address of your server. Typically this would be a private IP, but public IPs are also allowed.
2. Set up the client To connect your devices to Cloudflare:

Deploy the WARP client on your devices in Gateway with WARP mode. Enable the Gateway proxy for TCP. Create device enrollment rules to determine which devices can enroll to your Zero Trust organization. 3. Route server IPs through WARP By default, WARP excludes traffic bound for RFC 1918 space ↗, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your SSH server, you must configure Split Tunnels so that the IP/CIDR of your SSH server routes through WARP.

First, check whether your Split Tunnels mode is set to Exclude or Include mode.

If you are using Include mode, add your SSH server's IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality.

If you are using Exclude mode:

a. Delete your SSH server's IP/CIDR range from the list. For example, if your network uses the default AWS range of 172.31.0.0/16, delete 172.16.0.0/12.

b. Re-add IP/CIDR ranges that are not explicitly used by your SSH server. For the AWS example above, you would add new entries for 172.16.0.0/13, 172.24.0.0/14, 172.28.0.0/15, and 172.30.0.0/16. This ensures that only traffic to 172.31.0.0/16 routes through WARP.

You can use the following calculator to determine which IP addresses to re-add:

Base CIDR: 172.16.0.0/12 Excluded CIDRs: 172.31.0.0/16,172.28.0.0/15 Calculate Results: 172.16.0.0/13, 172.24.0.0/14, 172.30.0.0/16 In Base CIDR, enter the RFC 1918 range that you deleted from Split Tunnels. In Excluded CIDRs, enter the IP/CIDR range used by your SSH server. Re-add the calculator results to your Split Tunnel Exclude mode list.

By tightening the private IP range included in WARP, you reduce the risk of breaking a user's access to local resources.

1. Add a target A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare.

Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server. To create a new target:

Dashboard API Terraform In Zero Trust ↗, go to Networks > Targets. Select Add a target. In Target hostname, enter a user-friendly name for the target resource. We recommend using the server hostname, for example production-server. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution. Format restrictions In IP addresses, enter the IPv4 and/or IPv6 address of the target resource. The dropdown menu will not populate until you type in the full IP address. Note

If the target IP does not appear in the dropdown, go to Networks > Routes and confirm that the IP routes through Cloudflare Tunnel.

In the dropdown menu, select the IP address and virtual network where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design. Select Add target. Next, create an Access application to secure the target.

1. Add an infrastructure application Dashboard API Terraform (v4) In Zero Trust ↗, go to Access > Applications. Select Add an application. Select Infrastructure. Enter any name for the application. In Target criteria, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future. Enter the Protocol and Port that will be used to connect to the server. (Optional) If a protocol runs on more than one port, select Add new target criteria and reconfigure the same target hostname and protocol with a different port number. Note

Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol.

Select Next. To secure your targets, configure a policy that defines who can connect and how they can connect: Enter any name for your policy.

Create a rule that matches the users who are allowed to reach the targets. For more information, refer to Access policies and review the list of infrastructure policy selectors.

In Connection context, configure the following settings:

SSH user: Enter the UNIX usernames that users can log in as (for example, root or ec2-user). Allow users to log in as their email alias: (Optional) When selected, users who match your policy definition will be able to access the target using their lowercased email address prefix. For example, Jdoe@company.com could log in as jdoe. Note

Cloudflare will not create new users on the target. UNIX users must already be present on the server.

Select Add application. The targets in this application are now secured by your infrastructure policies.

Note

Gateway network policies take precedence over infrastructure policies. For example, if you block port 22 for all users in Gateway, then no one can SSH over port 22 to your targets.

1. Configure SSH server Next, configure your SSH server to trust the Cloudflare SSH CA. This allows Access to authenticate using short-lived certificates instead of traditional SSH keys.

Generate a Cloudflare SSH CA Note

Other short-lived CAs, such as those used to secure SSH servers behind Cloudflare Access, are incompatible with the Gateway SSH proxy. For SSH logging to work, you must create a new CA using the gateway_ca API endpoint.

To generate a Cloudflare SSH CA and get its public key:

Create an API token with the following permissions:

Type Item Permission Account Access: SSH Auditing Edit If you have not yet generated a Cloudflare SSH CA, make a POST request to the Cloudflare API:

Terminal window curl --request POST \ "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

If you have already created a Cloudflare SSH CA or receive the error message access.api.error.gateway_ca_already_exists, make a GET request instead:

Terminal window curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

Copy the public_key value returned in the response.

Save the public key Use the following command to change directories to the SSH configuration directory on the remote target machine:

Terminal window cd /etc/ssh

Once there, you can use the following command to both generate the file and open a text editor to input/paste the public key.

Terminal window vim ca.pub

In the ca.pub file, paste the public key without any modifications.

ca.pub ecdsa-sha2-nistp256 open-ssh-ca@cloudflareaccess.org

The ca.pub file can hold multiple keys, listed one per line. Empty lines and comments starting with # are also allowed.

Save the ca.pub file. In some systems, you may need to use the following command to force the file to save depending on your permissions:

Terminal window :w !sudo tee % :q!

Modify your SSHD config The following procedure makes two changes to the sshd_config file on the remote target machine. The first change requires that you uncomment a field already set in most default configurations; the second change adds a new field.

While staying within the /etc/ssh directory on the remote machine, open the sshd_config file.

Terminal window vim /etc/ssh/sshd_config

Go to the row named PubkeyAuthentication. In most default configurations, the row will appear commented out as follows:

PubkeyAuthentication yes

Remove the # symbol to uncomment the line:

PubkeyAuthentication yes

Add a new line below PubkeyAuthentication:

TrustedUserCAKeys /etc/ssh/ca.pub

Save the file and quit the editor. You might need to use the following command again to save and exit.

:w !sudo tee % :q!

Note

For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to 600. You can set file permissions with the following command:

Terminal window chmod 600 /etc/ssh/ca.pub

Restart your SSH server Once you have modified your SSHD configuration, restart the SSH service on the remote machine.

Debian/Ubuntu CentOS/RHEL For older Debian/Ubuntu versions:

Terminal window sudo service ssh restart

For newer Debian/Ubuntu versions:

Terminal window sudo systemctl restart ssh

1. Connect as a user Users can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. If the target is located within a particular virtual network, ensure that the WARP client is connected to that virtual network before initiating the connection. Users do not need to modify any SSH configs on their device. For example, to SSH from a terminal:

Terminal window ssh @

SSH with Access for Infrastructure also supports scp and rsync commands. At this time, sftp is not supported. Note that scp commands that utilize OpenSSH versions > 9.0 will not work at this time because OpenSSH 9.0+ leverages sftp to execute the command.

To learn more about user connections, refer to the Access for Infrastructure documentation.

SSH command logs SSH command logs contain the actual SSH commands that a user ran on the target. These logs are encrypted using a public key provided by the customer and are not visible to Cloudflare.

Enable SSH command logging To log SSH commands, you will need to generate an HPKE key pair and upload the public key to Cloudflare.

Download ↗ the Cloudflare ssh-log-cli utility.

Using the ssh-log-cli utility, generate a public and private key pair.

Terminal window ./ssh-log-cli generate-key-pair -o sshkey ls

README.md ssh-log-cli sshkey sshkey.pub

This command outputs two files, an sshkey.pub public key and a matching sshkey private key.

In Zero Trust ↗, go to Settings > Network.

In SSH encryption public key, paste the contents of sshkey.pub and select Save.

All proxied SSH commands are immediately encrypted using this public key. The matching private key is required to view logs.

Disable SSH command logging To turn off SSH command logging, delete your uploaded public key:

Dashboard API In Zero Trust ↗, go to Settings > Network > SSH encryption public key.

Select Remove.

Select Remove key to confirm.

Cloudflare will stop logging SSH commands to your targets, as well as any commands subject to Gateway Audit SSH policies.

View SSH logs SSH command logs are not visible from the dashboard itself and must be exported and decrypted.

To manually retrieve logs:

In Zero Trust ↗, go to Logs > Access. Select a user who was allowed to access the target. Select Download to download the session's command log. To decrypt the log, follow the instructions in the SSH Logging CLI repository ↗. In the following example, sshkey is the private key that matches the public key uploaded to Cloudflare.

Terminal window ./ssh-log-cli decrypt -i sshlog -k sshkey

This command outputs a sshlog-decrypted.zip file with the decrypted logs.

Enterprise customers can also export command logs using Logpush.

fuente https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/

Connect with self-managed SSH keys If you want to manage your own SSH keys, you can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare's global network. This requires running the cloudflared daemon on the server (or any other host machine within the private network). Users with SSH keys that are trusted by the SSH server can access the server by installing the Cloudflare WARP client on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can SSH to the server unless you build policies to allow or block specific users.

Note

If you want to create more granular access policies, allow Cloudflare to manage SSH keys for you, or to obtain command logs, consider using Access for Infrastructure instead.

This example walks through how to set up an SSH server on a Google Cloud Platform (GCP) virtual machine (VM), but you can use any machine that supports SSH connections.

1. Create an SSH key pair Before creating your VM instance you will need to create an SSH key pair.

Open a terminal and type the following command:

Terminal window ssh-keygen -t rsa -f ~/.ssh/gcp_ssh -C

Enter your passphrase when prompted. It will need to be entered twice.

Two files will be generated: gcp_ssh which contains the private key, and gcp_ssh.pub which contains the public key.

In the command line, enter:

Terminal window cat ~/.ssh/gcp_ssh.pub

Copy the output. This will be used when creating the VM instance in GCP.

1. Create a VM instance in GCP Now that the SSH key pair has been created, you can create a VM instance.

In your Google Cloud Console ↗, create a new project ↗. Go to Compute Engine > VM instances. Select Create instance. Name your VM instance, for example ssh-server. Scroll down to Advanced options > Security > Manage Access. Under Add manually generated SSH keys, select Add item and paste the public key that you have created. Select Create. Once your VM instance is running, open the dropdown next to SSH and select Open in browser window. Note

In order to be able to establish an SSH connection, do not enable OS Login ↗ on the VM instance.

1. Connect the server to Cloudflare Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network. In the Private Networks tab for the tunnel, enter the private IP or CIDR address of your server. In GCP, the server IP is the Internal IP of the VM instance.

(Optional) Set up Zero Trust policies to fine-tune access to your server.

1. Set up the client To connect your devices to Cloudflare:

Deploy the WARP client on your devices in Gateway with WARP mode or generate a proxy endpoint and deploy a PAC file. Create device enrollment rules to determine which devices can enroll to your Zero Trust organization. 5. Route private network IPs through WARP By default, WARP excludes traffic bound for RFC 1918 space ↗, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure Split Tunnels so that the IP/CIDR of your private network routes through WARP.

First, check whether your Split Tunnels mode is set to Exclude or Include mode.

If you are using Include mode, add your private network's IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality.

If you are using Exclude mode:

a. Delete your private network's IP/CIDR range from the list. For example, if your network uses the default AWS range of 172.31.0.0/16, delete 172.16.0.0/12.

b. Re-add IP/CIDR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for 172.16.0.0/13, 172.24.0.0/14, 172.28.0.0/15, and 172.30.0.0/16. This ensures that only traffic to 172.31.0.0/16 routes through WARP.

You can use the following calculator to determine which IP addresses to re-add:

Base CIDR: 172.16.0.0/12 Excluded CIDRs: 172.31.0.0/16,172.28.0.0/15 Calculate Results: 172.16.0.0/13, 172.24.0.0/14, 172.30.0.0/16 In Base CIDR, enter the RFC 1918 range that you deleted from Split Tunnels. In Excluded CIDRs, enter the IP/CIDR range used by your private network. Re-add the calculator results to your Split Tunnel Exclude mode list.

By tightening the private IP range included in WARP, you reduce the risk of breaking a user's access to local resources.

1. Connect as a user Once you have set up the application and the user device, the user can now SSH into the machine using its private IP address. If your SSH server requires an SSH key, the key should be included in the command.

Terminal window ssh -i ~/.ssh/gcp_ssh @

fuente https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel/