post(ssh-cert): matching email to different user

This commit is contained in:
Ming Di Leom 2023-02-16 09:03:15 +00:00
parent 26228eba94
commit 72b5cdcc67
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 26 additions and 4 deletions

View File

@ -106,7 +106,7 @@ Install `openssh-server`.
`sudo -e /etc/ssh/sshd_config.d/cf.conf` `sudo -e /etc/ssh/sshd_config.d/cf.conf`
``` ```plain /etc/ssh/sshd_config.d/cf.conf
TrustedUserCAKeys /etc/ssh/ca.pub TrustedUserCAKeys /etc/ssh/ca.pub
ListenAddress 127.0.0.1 ListenAddress 127.0.0.1
ListenAddress ::1 ListenAddress ::1
@ -125,6 +125,24 @@ The easiest setup is one where a Unix username matches the email that you config
Set a random password and leave everything else blank. Set a random password and leave everything else blank.
### Matching email to different username
To match **loremipsum**@youremail.com to **lipsum** user:
```plain /etc/ssh/sshd_config.d/cf.conf
Match user lipsum
AuthorizedPrincipalsCommand /bin/echo 'loremipsum'
AuthorizedPrincipalsCommandUser nobody
```
**loremipsum+somealias**@youremail.com also works.
```plain /etc/ssh/sshd_config.d/cf.conf
Match user lipsum
AuthorizedPrincipalsCommand /bin/echo 'loremipsum+somealias'
AuthorizedPrincipalsCommandUser nobody
```
## Initiate SSH connection ## Initiate SSH connection
Install `cloudflared` on the host that you're going to SSH from. Install `cloudflared` on the host that you're going to SSH from.
@ -133,7 +151,7 @@ Install `cloudflared` on the host that you're going to SSH from.
Example output: Example output:
``` ```plain ~/.ssh/config
Match host test.example.com exec "/usr/local/bin/cloudflared access ssh-gen --hostname %h" Match host test.example.com exec "/usr/local/bin/cloudflared access ssh-gen --hostname %h"
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
IdentityFile ~/.cloudflared/%h-cf_key IdentityFile ~/.cloudflared/%h-cf_key
@ -142,7 +160,7 @@ Match host test.example.com exec "/usr/local/bin/cloudflared access ssh-gen --ho
or or
``` ```plain ~/.ssh/config
Host test.example.com Host test.example.com
ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %r@cfpipe-test.example.com >&2 <&1' ProxyCommand bash -c '/usr/local/bin/cloudflared access ssh-gen --hostname %h; ssh -tt %r@cfpipe-test.example.com >&2 <&1'
@ -150,7 +168,7 @@ Host cfpipe-test.example.com
HostName test.example.com HostName test.example.com
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
IdentityFile ~/.cloudflared/test.example.com-cf_key IdentityFile ~/.cloudflared/test.example.com-cf_key
CertificateFile ~/.cloudflared/test.example.com-cf_key-cert.pup CertificateFile ~/.cloudflared/test.example.com-cf_key-cert.pub
``` ```
Save the output to `$HOME/.ssh/config`. Save the output to `$HOME/.ssh/config`.
@ -174,3 +192,7 @@ As a bonus, head to test.yourdomain.com (see [Add an application](#Add-an-applic
Head to **Settings** -> **Account** to monitor how many users you have, each email address you configured to receive one-time PIN is counted as one user. Head to **Settings** -> **Account** to monitor how many users you have, each email address you configured to receive one-time PIN is counted as one user.
To delete user(s), head to **Users**, tick the relevant users, **Update status** and then **Remove**. The seat usage column should show _Inactive_. To delete user(s), head to **Users**, tick the relevant users, **Update status** and then **Remove**. The seat usage column should show _Inactive_.
## Inspect user certificate
`ssh-keygen -L -f ~/.cloudflared/test.example.com-cf_key-cert.pub`