1

I have a remote machine I can access only through a cloudflared tunnel. In my .ssh/config file I have

Host remote
     User my-user-name
     ProxyCommand cloudflared access ssh --hostname remote-host-name.com

this works fine. When I ssh remote I get a prompt on remote-host-name.com.

But when I just run the cloudflared command directly I get an error:

local$ cloudflared access ssh --hostname remote-host-name.com
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5

Invalid SSH identification string.

I thought ssh was just "exec"ing the ProxyCommand, but it must be doing something more, what else is it doing?

Wandering Logic
  • 538
  • 4
  • 9
  • Weirdly, CF mentions here https://developers.cloudflare.com/cloudflare-one/tutorials/ssh-service-token/ that running `cloudflared access ssh --hostname remote-host-name.com` directly. Yet the same documentation links to here https://developers.cloudflare.com/cloudflare-one/tutorials/gitlab/#configuring-ssh mentioning that you have to set your ssh config to use the `ProxyCommand`. However, even when I modified the SSH config, I could only use `ssh`, and running `cloudflared` still didn't work. So did you figure out how to run `cloudflared` directly? Or still via `ssh` with `ProxyCommand`. – Algo7 Apr 09 '23 at 22:15
  • 1
    it turns out that `cloudflared access ssh --hostname remote-host-name.com` actually just sets up a tcp tunnel (like a vpn) and has nothing directly to do with `ssh` despite the `ssh` as one of the command line elements. So the only way to get this working is to put the ProxyCommand in the ~/.ssh/config file or: `ssh -o "ProxyCommand='cloudflared access ssh --hostname %h'" ...` – Wandering Logic Apr 10 '23 at 13:20

1 Answers1

2

ProxyCommand specifies the command to use to connect to the server (from the manual page, emphasis mine). Basically it runs this command and uses its input/output streams instead of directly opening a tcp connection. On top of that, it is running the ssh protocol.

In other words, ProxyCommand only replaces the tcp stream, but the rest of the ssh communication is still being run natively by the actual ssh command. When you run the cloudflared command by itself, you are just connecting to the ssh server from the other side and receive the ssh greeting (SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5) and the other side expects you to answer with whatever the protocol specifies (which of course a human is not expected to do, that is what ssh is doing in the background). You will get a similar greeting by trying to connect directly with nc to any ssh server without proxies, e.g. nc some.ssh.server 22 (22 is the port commonly used by ssh).

gepa
  • 811
  • 1
  • 2
  • 10