Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix ssh-config short-lived-cert for subpath-ed hostnames #930

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

jeslinmx
Copy link

@jeslinmx jeslinmx commented Apr 4, 2023

Fixes #923

@DevinCarr DevinCarr added the Area: Access Issue related with cloudflared access label Apr 6, 2023
@joliveirinha joliveirinha requested a review from jroyal December 14, 2023 16:25
@ajvpot
Copy link
Contributor

ajvpot commented Dec 14, 2023

Is this subject to a race condition when configuring a host name like "*.mycompany.com"? I think connecting to two hosts at the same time with this patch could cause the wrong cert to be used.

@jeslinmx
Copy link
Author

Sorry, but I don't think I understand the potential problem you're describing. Could you give an example of 2 hostnames that might create such a clash?

@ajvpot
Copy link
Contributor

ajvpot commented Dec 19, 2023

Sure, In this case I have configured access like so:

alex@Alexs-MacBook-Pro> cloudflared access ssh-config --hostname '*.mycorp.com' --short-lived-cert
Add to your /Users/alex/.ssh/config:

Match host *.mycorp.com exec "/Users/alex/bin/cloudflared access ssh-gen --hostname %h"
  ProxyCommand /Users/alex/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/%h-cf_key
  CertificateFile ~/.cloudflared/%h-cf_key-cert.pub

After this change the config would be:

Match host *.mycorp.com exec "/Users/alex/bin/cloudflared access ssh-gen --hostname %h"
  ProxyCommand /Users/alex/bin/cloudflared access ssh --hostname %h
  IdentityFile ~/.cloudflared/*.mycorp.com-cf_key
  CertificateFile ~/.cloudflared/*.mycorp.com-cf_key-cert.pub

Which may cause problems when SSHing to multiple hosts that match that pattern and use different SSH CA public keys at the same time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: Access Issue related with cloudflared access
Projects
None yet
Development

Successfully merging this pull request may close these issues.

🐛 ssh-config w/ short-lived-cert thrown off by invalid characters in hostname
3 participants