[LakeAustin]

(Cloudflare team here) cloudflared proxies the traffic through the Cloudflare network to the service behind Access so that Cloudflare can ensure the request is authenticated first and then issue a token to the client through cloudflared.

[otterley]

sshd already has a reasonable authentication protocol (several in fact, including public keys of various kinds) that is already tunneled through an encrypted channel. What additional value does cloudflared provide?

It's a bit like saying HTTPS isn't good enough, so let's tunnel HTTPS inside HTTPS -- unless I misunderstand its purpose.

[zackbloom]

It's because the IdPs most organizations use don't have the type of SSH flow you're talking about. For Cloudflare to authenticate you, you first have to go through your Okta, Google Apps, etc login flow which is browser-centric.

[otterley]

I wrote about a sensible way to provision login authentication in some detail here: https://segment.com/blog/ditching-the-shared-user/

[ejcx]

There are actually quite a few aspects of your blog that I think we will emulate in the near future, with a twist, to solve more similar problems. This problem set was super different though.

Adding a public facing SSH interface to our production hosts was a bit of a non-starter and we would have had to hack together auth on top of that (not just for us, but for our customers too). That's a lot of additional surface area and operational burden we didn't want.

BTW we should catch up over a beer sometime =]

[throwaway2048]

Why not authenticate via ssh keys using the ssh client (such as the openssh -J flag)

[cagenut]

thanks for responding, but I confess it didn't clear anything up for me. I don't know what "Access" is or why ssh would require a token.