[otterley]

sshd already has a reasonable authentication protocol (several in fact, including public keys of various kinds) that is already tunneled through an encrypted channel. What additional value does cloudflared provide?

It's a bit like saying HTTPS isn't good enough, so let's tunnel HTTPS inside HTTPS -- unless I misunderstand its purpose.

[zackbloom]

It's because the IdPs most organizations use don't have the type of SSH flow you're talking about. For Cloudflare to authenticate you, you first have to go through your Okta, Google Apps, etc login flow which is browser-centric.

[otterley]

I wrote about a sensible way to provision login authentication in some detail here: https://segment.com/blog/ditching-the-shared-user/

[ejcx]

There are actually quite a few aspects of your blog that I think we will emulate in the near future, with a twist, to solve more similar problems. This problem set was super different though.

Adding a public facing SSH interface to our production hosts was a bit of a non-starter and we would have had to hack together auth on top of that (not just for us, but for our customers too). That's a lot of additional surface area and operational burden we didn't want.

BTW we should catch up over a beer sometime =]