Cloudflare Introduces Short-Lived SSH Access, Eliminating the Need for SSH Credentials

Cloudflare recently announced Access for Infrastructure SSH, a feature that replaces traditional SSH keys with short-lived certificates. The new option leverages BastionZero’s integration into Cloudflare One and reduces the complexity of managing SSH keys while enhancing security by substituting long-term SSH keys with temporary, ephemeral certificates.

Traditionally, users generate an SSH key pair and gain access by deploying the public key to servers. With Access for Infrastructure, traditional SSH keys are replaced by short-lived certificates issued to end users based on a token generated through their Access login.

According to Cloudflare, a key benefit of this new approach is that organizations can now manage SSH access like any other application, enforcing strong multi-factor authentication (MFA), device context, and policy-based access controls. This enables companies to consolidate infrastructure access policies within their secure access service edge (SSE) or secure access service edge (SASE) architecture.

Sharon Goldberg, product director at Cloudflare and formerly CEO at BastionZero at Cloudflare, Ann Ming Samborski, senior product manager at Cloudflare, and Sebby Lipman, senior systems engineer at Cloudflare, write:

Modern enterprises can have tens, hundreds, or even thousands of SSH targets. Servers accessible via SSH can be targeted in cryptojacking or proxyjacking attacks. Manually tracking, rotating, and validating SSH credentials that grant access is a chore that is often left undone, which creates risks that these long-lived credentials could be compromised.

Source: Cloudflare blog

Goldberg, Ming Samborski, and Lipman emphasize the importance of logging:

The principles of Zero Trust demand that an organization also tracks who exactly is accessing their servers with SSH, and what commands they are running on those servers once they have access.

In a popular Hacker News thread, many developers express skepticism about Cloudflare’s approach of using an SSH proxy infrastructure to deliver zero-trust SSH access. User edelbitter questions:

Why does the title say “Zero Trust”, when the article explains that this only works as long as every involved component of the Cloudflare MitM keylogger and its CA can be trusted? If hosts keys are worthless because you do not know in advance what key the proxy will have.. than this scheme is back to trusting servers merely because they are in Cloudflare address space, no?

Thomas Ptacek adds:

I’m a fan of SSH certificates and cannot understand why anyone would set up certificate authentication with an external third-party CA (…) External CAs exist to solve the counterparty introduction problem, which is a problem SSH servers do not have.

Other companies, like Teleport and Smallstep, offer identity-based, secretless SSH solutions, but Cloudflare is the first cloud provider to offer an integrated solution, made possible through the acquisition of BastionZero. Ferris Ellis, founder & CEO of Urban Dynamics, comments:

If we want to know “When was the last time someone logged into this machine?” or “We found a bad actor, what did they do the last 24 hours?” we easily can! This is a huge win for reliability & security operations.

Access for Infrastructure is currently free for teams with fewer than 50 users and is also available to existing pay-as-you-go and Contract plan customers with an Access or Zero Trust subscription.