
SSH Access through Cloudflare - zackbloom
https://blog.cloudflare.com/releasing-the-cloudflare-access-feature-that-let-us-smash-a-vpn-on-stage/?h
======
cremp
Every time I see a post by Cloudflare, I get more and more nervous.

Why? Because each time they introduce something, they end up at the controls.

What if, if, their internal network is breached; or an unhappy employee is at
the wheel? Not only would it be possible for them to use _everything_ at their
disposal, but they can start to sell user data; internal ports exposed.

Considering bugs are a fact of life for developers; how long will it be until
there is a big hole? Heartbleed was one; what's the next?

~~~
zackbloom
One of the fundamental truths or the move to the cloud has been large
organizations which can focus on security tend to do it better than each of us
doing our best alone. It just takes too many people to keep a modern system
secure, that's unfortunate, but it seems true. All of the security failures we
hear about tend to be in bespoke systems, not GCP or AWS.

~~~
zAy0LfpBZLC8mAC
That is wrong on so many levels.

For one, the idea of "delegate security to a central authority because they
know what they are doing" is one that has failed so catastrophically in
history it's surprising anyone still considers it a convincing argument. If
there is one thing humanity should have learned, it's that centralizion of
power is itself a major security problem. Electing dictators to solve security
problems does not work.

Then, "we have to give all power to cloudflare or we are on our own" is
obviously a false dichotomy. No, people can work together on fixing security
problems without the need to delegate power to a central authority.

Also, it isn't hard to keep "a modern system" secure. It's just that noone
cares, in part because they think they can just buy security as a product that
they somehow plug into their system to make it secure. But that is just a
completely mistaken approach. You can buy "IT security" as much as you can buy
"car safety". If the engineering of your car is shoddy, no add-on will make if
safe, and it's exactly the same for IT systems--and if the engineering is
solid, there is no need for "safety add-ons".

BTW, one particular kind of "security" that large organizations are good at is
controlling PR. It's just that that is not in your interest as their customer.
It's just one of many conflicts of interest.

------
zzo38computer
I do not want to use Cloudflare, because I will want to control it by myself,
and also because Cloudflare fails to have some stuff that I would use and also
it has stuff that I do not want. Also, SSH and HTTPS are not necessarily the
only protocols that you might want.

------
cagenut
if its ssh why do i need to install/run cloudflared?

~~~
LakeAustin
(Cloudflare team here) cloudflared proxies the traffic through the Cloudflare
network to the service behind Access so that Cloudflare can ensure the request
is authenticated first and then issue a token to the client through
cloudflared.

~~~
otterley
sshd already has a reasonable authentication protocol (several in fact,
including public keys of various kinds) that is already tunneled through an
encrypted channel. What additional value does cloudflared provide?

It's a bit like saying HTTPS isn't good enough, so let's tunnel HTTPS inside
HTTPS -- unless I misunderstand its purpose.

~~~
zackbloom
It's because the IdPs most organizations use don't have the type of SSH flow
you're talking about. For Cloudflare to authenticate you, you first have to go
through your Okta, Google Apps, etc login flow which is browser-centric.

~~~
otterley
I wrote about a sensible way to provision login authentication in some detail
here: [https://segment.com/blog/ditching-the-shared-
user/](https://segment.com/blog/ditching-the-shared-user/)

~~~
ejcx
There are actually quite a few aspects of your blog that I think we will
emulate in the near future, with a twist, to solve more similar problems. This
problem set was super different though.

Adding a public facing SSH interface to our production hosts was a bit of a
non-starter and we would have had to hack together auth on top of that (not
just for us, but for our customers too). That's a lot of additional surface
area and operational burden we didn't want.

BTW we should catch up over a beer sometime =]

------
viknod
It's amazing they are able to use local browser technology(via the popup
login) to allow for using a public network as though it were private,
virtually of course.

------
rmbeard
Will this work from China?

------
whydoineedthis
Yeah, but are you Enterprise sales teams still a complete bag of useless
dicks? Yes. Is your pricing still laughable? Yes. Is 'last decades security'
still better than handing off internal network control to a third party? Yes.
As usual, you only solved how to make Cloudflare more money, and not anything
g technically impressive.

~~~
apple4ever
Their pricing has a lot to be desired. It sounds simple with their plans, but
lately they've been very nickel and dimey.

