Add option to replace SSH keys with short-lived certificates by applying Cloudflare SSH with Access for Infrastructure #1915
RicoSchmitt
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Cloudflare Access allows securing SSH (and other protocols) by issuing ephemeral client certificates through WARP. With this setup, servers no longer need to expose port 22 publicly, since all connections are proxied through Cloudflare.
This removes the burden of generating and distributing static SSH key pairs. Instead, authentication and authorization are handled by Cloudflare Access policies, which can be managed centrally from the dashboard or defined declaratively via Terraform. Please find these docs for further reference.
I have already implemented this for some clusters, but the process is currently manual. I would be interested in contributing a script to automate the setup of SSH Access for Infrastructure if the community considers it in scope. Looking forward to your thoughts on this!
Beta Was this translation helpful? Give feedback.
All reactions