SSH with Access for Infrastructure (recommended)

Access for Infrastructure uses the same deployment model as WARP-to-Tunnel but unlocks more granular policy options and command logging functionality.

Furthermore, Access for Infrastructure replaces traditional SSH keys with short-lived certificates issued to your users based on the token generated by their Access login. In traditional models, users generate an SSH keypair and administrators grant access to individual SSH servers by deploying their users’ public keys to those servers. These SSH keys can remain unchanged on these servers for months or years. Cloudflare Access removes the burden of managing SSH keys, while also improving security by replacing long-lived SSH keys with ephemeral SSH certificates.

1. Connect the server to Cloudflare

1. Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.

2. In the Private Networks tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP).

2. Set up the client

To connect your devices to Cloudflare:

1. Deploy the WARP client on your devices in Gateway with WARP mode.
2. Enable the Gateway proxy for TCP.
3. Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.

3. Route private network IPs through WARP

By default, WARP excludes traffic bound for RFC 1918 space ↗, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your private network, you must configure Split Tunnels so that the IP/CIDR of your private network routes through WARP.

1. First, check whether your Split Tunnels mode is set to Exclude or Include mode.

2. If you are using Include mode, add your network’s IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality.

3. If you are using Exclude mode:

   1. Delete your network’s IP/CIDR range from the list. For example, if your network uses the default AWS range of 172.31.0.0/16, delete 172.16.0.0/12.
   2. Re-add IP/CDIR ranges that are not explicitly used by your private network. For the AWS example above, you would add new entries for 172.16.0.0/13, 172.24.0.0/14, 172.28.0.0/15, and 172.30.0.0/16. This ensures that only traffic to 172.31.0.0/16 routes through WARP.

By tightening the private IP range included in WARP, you reduce the risk of breaking a user’s access to local resources.

4. Add a target

A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server.

To create a new target:

Dashboard

1. In Zero Trust ↗, go to Networks > Targets.
2. Select Add a target.
3. In Target hostname, enter a user-friendly name for the target resource. We recommend using the server hostname, for example production-server. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution.

   Format restrictions

   • Case insensitive
   • Contain no more than 253 characters
   • Contain only alphanumeric characters, -, or . (no spaces allowed)
   • Start and end with an alphanumeric character
4. In IP addresses, enter the private IPv4 and/or IPv6 address of the target resource. If the IP address overlaps across multiple private networks, select the virtual network where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design.

IP address requirements

• Public IPs are not currently supported.
• The IP address must be reachable through Cloudflare Tunnel.
• You must input the full IP address. The selector in the UI does not do partial matches.

5. Select Add target.

API

1. Create an API token with the following permissions:

   Type	Item	Permission
   Account	Zero Trust	Edit

2. Make a POST request to the Infrastructure Access Targets endpoint:

   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/infrastructure/targets \
   --header "Authorization: Bearer <API_TOKEN>" \
   --data '{
     "hostname": "infra-access-target",
     "ip": {
       "ipv4": {
         "ip_addr": "187.26.29.249",
         "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
       },
       "ipv6": {
         "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
         "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
       }
     }
   }'

Terraform

Configure the cloudflare_infrastructure_access_target ↗ resource:

resource "cloudflare_infrastructure_access_target" "infra-ssh-target" {
  account_id = "f037e56e89293a057740de681ac9abbe"
    hostname   = "infra-access-target"
    ip = {
      ipv4 = {
         ip_addr = "187.26.29.249"
         virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
       }
      ipv6 = {
        ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
        virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
      }
    }
}

Next, create an infrastructure application to secure the target.

5. Add an infrastructure application

Dashboard

1. In Zero Trust ↗, go to Access > Applications.
2. Select Add an application.
3. Select Infrastructure.
4. Enter any name for the application.
5. In Target criteria, select the target hostname(s) that will represent the application. The application definition will apply to all targets that share the selected hostname, including any targets added in the future.
6. Enter the Protocol and Port that will be used to connect to the server.
7. (Optional) If a protocol runs on more than one port, select Add new target criteria and reconfigure the same target hostname and protocol with a different port number.

   Note

   Access for Infrastructure only supports assigning one protocol per port. You can reuse a port/protocol pairing across infrastructure applications, but the port cannot be reassigned to another protocol.

8. Select Next.
9. To secure your targets, configure a policy that defines who can connect and how they can connect:
   1. Enter any name for your policy.
   2. Create a rule that matches the users who are allowed to reach the targets. For more information, refer to Access policies and review the list of infrastructure policy selectors.
   3. In Connection context, enter the UNIX usernames that users can log in as (for example, root or ec2-user).
10. Select Add application.

API

1. Create an API token with the following permissions:

   Type	Item	Permission
   Account	Access: Apps & Policies	Edit

2. Make a POST request to the Access applications endpoint:

   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps \
   --header "Authorization: Bearer <API_TOKEN>" \
   --header "Content-Type: application/json" \
   --data '{
     "name": "Example infrastructure app",
     "type": "infrastructure",
     "target_criteria": [
       {
         "target_attributes": {
           "hostname": [
             "infra-access-target"
           ]
         },
         "port": 22,
         "protocol": "SSH"
       }
     ],
     "policies": [
       {
         "name": "Allow a specific email",
         "decision": "allow",
         "include": [
           {
             "email": {
               "email": "jdoe@company.com"
             }
           }
         ],
         "connection_rules": {
           "ssh": {
             "usernames": [
               "root",
               "ec2-user"
             ]
           }
         }
       }
     ]
   }'

Terraform

1. Use the cloudflare_zero_trust_access_application ↗ resource to create an infrastructure application:

   resource "cloudflare_zero_trust_access_application" "infra-app" {
     account_id = "f037e56e89293a057740de681ac9abbe"
     name       = "Example infrastructure app"
     type       = "infrastructure"
   
     target_criteria {
       port     = 22
       protocol = "SSH"
       target_attributes {
         name = "hostname"
         values = ["infra-access-target"]
       }
     }
   }

2. Use the cloudflare_zero_trust_access_policy ↗ resource to add an infrastructure policy to the application:

   resource "cloudflare_zero_trust_access_policy" "infra-app-policy" {
     application_id = cloudflare_zero_trust_access_application.infra-app.id
     account_id = "f037e56e89293a057740de681ac9abbe"
     name       = "Allow a specific email"
     decision   = "allow"
     precedence = 1
   
     include {
       email = ["jdoe@company.com"]
     }
   
     connection_rules {
       ssh {
         usernames = ["root", "ec2-user"]
       }
     }
   }

The targets in this application are now secured by your infrastructure policies.

Note

Gateway network policies take precedence over infrastructure policies. For example, if you block port 22 for all users in Gateway, then no one can SSH over port 22 to your targets.

6. Configure SSH server

Next, configure your SSH server to trust the Cloudflare SSH CA. This allows Access to authenticate using short-lived certificates instead of traditional SSH keys.

Generate a Cloudflare SSH CA

Note

Other short-lived CAs, such as those used to secure SSH servers behind Cloudflare Access, are incompatible with the Gateway SSH proxy. For SSH logging to work, you must create a new CA using the gateway_ca API endpoint.

To generate a Cloudflare SSH CA and get its public key:

1. Create an API token with the following permissions:

   Type	Item	Permission
   Account	Access: SSH Auditing	Edit

2. If you have not yet generated a Cloudflare SSH CA, make a POST request to the Cloudflare API:

   curl --request POST \
   "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \
   --header "Authorization: Bearer <API_TOKEN>"

3. If you have already created a Cloudflare SSH CA or receive the error message access.api.error.gateway_ca_already_exists, make a GET request instead:

   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca \
   --header "Authorization: Bearer <API_TOKEN>"

4. Copy the public_key value returned in the response.

Save the public key

1. Use the following command to change directories to the SSH configuration directory on the remote target machine:

   cd /etc/ssh

2. Once there, you can use the following command to both generate the file and open a text editor to input/paste the public key.

   vim ca.pub

3. In the ca.pub file, paste the public key without any modifications.

   The ca.pub file can hold multiple keys, listed one per line. Empty lines and comments starting with # are also allowed.

4. Save the ca.pub file. In some systems, you may need to use the following command to force the file to save depending on your permissions:

   :w !sudo tee %
   :q!

Modify your SSHD config

The following procedure makes two changes to the sshd_config file on the remote target machine. The first change requires that you uncomment a field already set in most default configurations; the second change adds a new field.

1. While staying within the /etc/ssh directory on the remote machine, open the sshd_config file.

   vim /etc/ssh/sshd_config

2. Go to the row named PubkeyAuthentication. In most default configurations, the row will appear commented out as follows:

   # PubkeyAuthentication yes

3. Remove the # symbol to uncomment the line; keep the setting yes enabled.

4. Next, add a new line below PubkeyAuthentication as follows:

   TrustedUserCAKeys /etc/ssh/ca.pub

   Save the file and quit the editor. You might need to use the following command again to save and exit.

   :w !sudo tee %
   :q!

Note

For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to 600. You can set file permissions with the following command:

chmod 600 /etc/ssh/ca.pub

Restart your SSH server

Once you have modified your SSHD configuration, restart the SSH service on the remote machine.

Debian/Ubuntu

For older Debian/Ubuntu versions:

sudo service ssh restart

For newer Debian/Ubuntu versions:

sudo systemctl restart ssh

CentOS/RHEL

For CentOS/RHEL 6 and older:

sudo service sshd restart

For CentOS/RHEL 7 and newer:

sudo systemctl restart sshd

7. Connect as a user

Users can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. If the target is located within a particular virtual network, ensure that the WARP client is connected to that virtual network before initiating the connection. Users do not need to modify any SSH configs on their device. For example, to SSH from a terminal:

ssh <username>@<target IP>

SSH with Access for Infrastructure also supports scp and rsync commands. At this time, sftp is not supported.

For more information, refer to the Access for Infrastructure documentation.

SSH command logs

SSH command logs contain the actual SSH commands that a user ran on the target. These logs are encrypted using a public key provided by the customer and are not visible to Cloudflare.

Enable SSH command logging

To log SSH commands, you will need to generate an HPKE key pair and upload the public key to Cloudflare.

1. Download ↗ the Cloudflare ssh-log-cli utility.

2. Using the ssh-log-cli utility, generate a public and private key pair.

   ./ssh-log-cli generate-key-pair -o sshkey
   ls

   README.md    ssh-log-cli    sshkey    sshkey.pub

   This command outputs two files, an sshkey.pub public key and a matching sshkey private key.

3. In Zero Trust ↗, go to Settings > Network.

4. In SSH encryption public key, paste the contents of sshkey.pub and select Save.

All proxied SSH commands are immediately encrypted using this public key. The matching private key is required to view logs.

Disable SSH command logging

To turn off SSH command logging, delete your uploaded public key:

Dashboard

1. In Zero Trust ↗, go to Settings > Network > SSH encryption public key.

2. Select Remove.

3. Select Remove key to confirm.

Cloudflare will stop logging SSH commands to your targets, as well as any commands subject to Gateway Audit SSH policies.

API

To delete the SSH encryption public key using the API:

curl --request PUT https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/audit_ssh_settings \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--data '{
  "public_key": ""
}'

View SSH logs

SSH command logs are not visible from the dashboard itself and must be exported and decrypted.

To manually retrieve logs:

1. In Zero Trust ↗, go to Logs > Access.
2. Select a user who was allowed to access the target.
3. Select Download to download the session’s command log.

4. To decrypt the log, follow the instructions in the SSH Logging CLI repository ↗. In the following example, sshkey is the private key that matches the public key uploaded to Cloudflare.

   ./ssh-log-cli decrypt -i sshlog -k sshkey

   This command outputs a sshlog-decrypted.zip file with the decrypted logs.