2

I have a remote machine I can access only through a cloudflared tunnel. In my .ssh/config file I have

Host remote
     User my-user-name
     ProxyCommand cloudflared access ssh --hostname remote-host-name.com

this works fine. When I ssh remote I get a prompt on remote-host-name.com.

But when I just run the cloudflared command directly I get an error:

local$ cloudflared access ssh --hostname remote-host-name.com
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5

Invalid SSH identification string.

I thought ssh was just "exec"ing the ProxyCommand, but it must be doing something more, what else is it doing?

Wandering Logic
  • 698
  • 6
  • 11

1 Answers1

2

ProxyCommand specifies the command to use to connect to the server (from the manual page, emphasis mine). Basically it runs this command and uses its input/output streams instead of directly opening a tcp connection. On top of that, it is running the ssh protocol.

In other words, ProxyCommand only replaces the tcp stream, but the rest of the ssh communication is still being run natively by the actual ssh command. When you run the cloudflared command by itself, you are just connecting to the ssh server from the other side and receive the ssh greeting (SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5) and the other side expects you to answer with whatever the protocol specifies (which of course a human is not expected to do, that is what ssh is doing in the background). You will get a similar greeting by trying to connect directly with nc to any ssh server without proxies, e.g. nc some.ssh.server 22 (22 is the port commonly used by ssh).

gepa
  • 1,216