Cloudflare recently announced Access for Infrastructure SSH, a feature that replaces traditional SSH keys with short-lived certificates. This new option leverages BastionZero’s integration into Cloudflare One and reduces the complexity of managing SSH keys while enhancing security by substituting long-term SSH keys with temporary, ephemeral certificates.
Traditionally, users generate an SSH key pair and gain access by deploying the public key to servers. With Access for Infrastructure, traditional SSH keys are replaced by short-lived certificates issued to end-users based on a token generated through their Access login.
Cloudflare emphasizes that this new approach enables organizations to manage SSH access like any other application, enforcing strong multi-factor authentication, device context, and policy-based access controls. This simplifies infrastructure access policies within the company’s secure access service edge (SSE) or secure access service edge (SASE) architecture.
According to the company, a key benefit of this new feature is that it reduces the risk of long-lived SSH credentials being compromised. Goldbergsam, Ming Samborski, and Lipman emphasize the importance of logging in securing organizations’ servers with SSH. They stress that Zero Trust demands tracking who accesses servers with SSH and what commands they run.
The integration also addresses skepticism from developers regarding Cloudflare’s approach to using an SSH proxy infrastructure for zero-trust SSH access. The company clarifies that every involved component must be trusted, including the CA used by the MitM keylogger.
Access for Infrastructure is currently free for teams with fewer than 50 users and available to existing pay-as-you-go and Contract plan customers with an Access or Zero Trust subscription.
Source: https://www.infoq.com/news/2024/11/cloudflare-ssh