SSH with Access for Infrastructure (recommended)
Access for Infrastructure provides granular control over how users can connect to your SSH servers. This feature uses the same deployment model as WARP-to-Tunnel but unlocks more policy options and command logging functionality.
Furthermore, Access for Infrastructure replaces traditional SSH keys with short-lived certificates issued to your users based on the token generated by their Access login. In traditional models, users generate an SSH keypair and administrators grant access to individual SSH servers by deploying their users' public keys to those servers. These SSH keys can remain unchanged on these servers for months or years. Cloudflare Access removes the burden of managing SSH keys, while also improving security by replacing long-lived SSH keys with ephemeral SSH certificates.
- Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.
- In the Private Networks tab for the tunnel, enter the IP or CIDR address of your server. Typically this would be a private IP, but public IPs are also allowed.
To connect your devices to Cloudflare:
- Deploy the WARP client on your devices in Gateway with WARP mode.
- Enable the Gateway proxy for TCP.
- Create device enrollment rules to determine which devices can enroll to your Zero Trust organization.
By default, WARP excludes traffic bound for RFC 1918 space ↗, which are IP addresses typically used in private networks and not reachable from the Internet. In order for WARP to send traffic to your SSH server, you must configure Split Tunnels so that the IP/CIDR of your SSH server routes through WARP.
- 
First, check whether your Split Tunnels mode is set to Exclude or Include mode. 
- 
If you are using Include mode, add your SSH server's IP/CIDR range to the list. Your list should also include the domains necessary for Cloudflare Zero Trust functionality. 
- 
If you are using Exclude mode: a. Delete your SSH server's IP/CIDR range from the list. For example, if your network uses the default AWS range of 172.31.0.0/16, delete172.16.0.0/12.b. Re-add IP/CIDR ranges that are not explicitly used by your SSH server. For the AWS example above, you would add new entries for 172.16.0.0/13,172.24.0.0/14,172.28.0.0/15, and172.30.0.0/16. This ensures that only traffic to172.31.0.0/16routes through WARP.You can use the following calculator to determine which IP addresses to re-add: In Base CIDR, enter the RFC 1918 range that you deleted from Split Tunnels. In Excluded CIDRs, enter the IP/CIDR range used by your SSH server. Re-add the calculator results to your Split Tunnel Exclude mode list. 
By tightening the private IP range included in WARP, you reduce the risk of breaking a user's access to local resources.
A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare.
Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server. To create a new target:
- In Zero Trust ↗, go to Networks > Targets.
- Select Add a target.
- In Target hostname, enter a user-friendly name for the target. We recommend using the server hostname, for example production-server. The target hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the targets secured by an Access application; they are not used for DNS address resolution.Format restrictions - Case insensitive
- Contain no more than 253 characters
- Contain only alphanumeric characters, -, or.(no spaces allowed)
- Start and end with an alphanumeric character
 
- In IP addresses, enter the IPv4 and/or IPv6 address of the target resource. The dropdown menu will not populate until you type in the full IP address.
- In the dropdown menu, select the IP address and virtual network where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design.
- Select Add target.
Make a POST request to the Infrastructure Access Targets endpoint:
Required API token permissions
 
At least one of the following token permissions 
is required:
- Zero Trust Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets" \  --request POST \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "hostname": "infra-access-target",    "ip": {        "ipv4": {            "ip_addr": "187.26.29.249",            "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"        },        "ipv6": {            "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",            "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"        }    }  }'- 
Add the following permission to your cloudflare_api_token↗:- Zero Trust Write
 
- 
Configure the cloudflare_zero_trust_infrastructure_access_target↗ resource:resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" {account_id = var.cloudflare_account_idhostname = "infra-access-target"ip = {ipv4 = {ip_addr = "187.26.29.249"virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"}ipv6 = {ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"}}}
Next, create an Access application to secure the target.
- In Zero Trust ↗, go to Access > Applications.
- Select Add an application.
- Select Infrastructure.
- Enter any name for the application.
- In Target criteria, select the target hostname(s) that you want to secure. This application definition will apply to all targets that share the selected hostname, including any targets added in the future. Similarly, if you later decide to change the hostname for a target, the renamed target will no longer be covered by this application.
- Enter the Protocol and Port that will be used to connect to the server.
- (Optional) If a protocol runs on more than one port, select Add new target criteria and reconfigure the same target hostname and protocol with a different port number.
- Select Next.
- To secure your targets, configure a policy that defines who can connect and how they can connect:
- 
Enter any name for your policy. 
- 
Create a rule that matches the users who are allowed to reach the targets. For more information, refer to Access policies and review the list of infrastructure policy selectors. 
- 
In Connection context, configure the following settings: - SSH user: Enter the UNIX usernames that users can log in as (for example, rootorec2-user).
- Allow users to log in as their email alias: (Optional) When selected, users who match your policy definition will be able to access the target using their lowercased email address prefix. For example, Jdoe@company.comcould log in asjdoe.
 
- SSH user: Enter the UNIX usernames that users can log in as (for example, 
 
- 
- Select Add application.
Make a POST request to the Access applications endpoint:
Required API token permissions
 
At least one of the following token permissions 
is required:
- Access: Apps and Policies Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \  --request POST \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "name": "Example infrastructure app",    "type": "infrastructure",    "target_criteria": [        {            "target_attributes": {                "hostname": [                    "infra-access-target"                ]            },            "port": 22,            "protocol": "SSH"        }    ],    "policies": [        {            "name": "Allow a specific email",            "decision": "allow",            "include": [                {                    "email": {                        "email": "jdoe@company.com"                    }                }            ],            "connection_rules": {                "ssh": {                    "usernames": [                        "root",                        "ec2-user"                    ]                }            }        }    ]  }'- 
Add the following permission to your cloudflare_api_token↗:- Access: Apps and Policies Write
 
- 
Use the cloudflare_zero_trust_access_application↗ resource to create an infrastructure application:resource "cloudflare_zero_trust_access_application" "infra-app" {account_id = var.cloudflare_account_idname = "Example infrastructure app"type = "infrastructure"target_criteria {port = 22protocol = "SSH"target_attributes {name = "hostname"values = ["infra-access-target"]}}}
- 
Use the cloudflare_zero_trust_access_policy↗ resource to add an infrastructure policy to the application:resource "cloudflare_zero_trust_access_policy" "infra-app-policy" {application_id = cloudflare_zero_trust_access_application.infra-app.idaccount_id = var.cloudflare_account_idname = "Allow a specific email"decision = "allow"precedence = 1include {email = ["jdoe@company.com"]}connection_rules {ssh {usernames = ["root", "ec2-user"]}}}
The targets in this application are now secured by your infrastructure policies.
By default, Cloudflare will evaluate Access application policies after evaluating all Gateway network policies. To evaluate Access applications before or after specific Gateway policies:
- Create the following Gateway network policy: - Selector - Operator - Value - Action - Access Infrastructure Target - is - Present - Allow 
- Update the policy's order of precedence using the dashboard or API. 
This Gateway policy will apply to all Access for Infrastructure targets, including RDP and SSH.
Next, configure your SSH server to trust the Cloudflare SSH CA. This allows Access to authenticate using short-lived certificates instead of traditional SSH keys.
To generate a Cloudflare SSH CA and get its public key:
- 
Create an API token with the following permissions: Type Item Permission Account Access: SSH Auditing Edit 
- 
If you have not yet generated a Cloudflare SSH CA, make a POSTrequest to the Cloudflare API:
Required API token permissions
 
At least one of the following token permissions 
is required:
- Access: SSH Auditing Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \  --request POST \  --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \  --header "X-Auth-Key: $CLOUDFLARE_API_KEY"- If you have already created a Cloudflare SSH CA or receive the error message access.api.error.gateway_ca_already_exists, make aGETrequest instead:
Required API token permissions
 
At least one of the following token permissions 
is required:
- Access: SSH Auditing Write
- Access: SSH Auditing Read
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca" \  --request GET \  --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \  --header "X-Auth-Key: $CLOUDFLARE_API_KEY"- Copy the public_keyvalue returned in the response.
- 
Use the following command to change directories to the SSH configuration directory on the remote target machine: Terminal window cd /etc/ssh
- 
Once there, you can use the following command to both generate the file and open a text editor to input/paste the public key. Terminal window vim ca.pub
- 
In the ca.pubfile, paste the public key without any modifications.ca.pub ecdsa-sha2-nistp256 <redacted> open-ssh-ca@cloudflareaccess.orgThe ca.pubfile can hold multiple keys, listed one per line. Empty lines and comments starting with#are also allowed.
- 
Save the ca.pubfile. In some systems, you may need to use the following command to force the file to save depending on your permissions:Terminal window :w !sudo tee %:q!
The following procedure makes two changes to the sshd_config file on the remote target machine. The first change requires that you uncomment a field already set in most default configurations; the second change adds a new field.
- 
While staying within the /etc/sshdirectory on the remote machine, open thesshd_configfile.Terminal window vim /etc/ssh/sshd_config
- 
Go to the row named PubkeyAuthentication. In most default configurations, the row will appear commented out as follows:# PubkeyAuthentication yes
- 
Remove the #symbol to uncomment the line:PubkeyAuthentication yes
- 
Add a new line below PubkeyAuthentication:TrustedUserCAKeys /etc/ssh/ca.pub
- 
Save the file and quit the editor. You might need to use the following command again to save and exit. :w !sudo tee %:q!
Once you have modified your SSHD configuration, restart the SSH service on the remote machine.
For older Debian/Ubuntu versions:
sudo service ssh restartFor newer Debian/Ubuntu versions:
sudo systemctl restart sshFor CentOS/RHEL 6 and older:
sudo service sshd restartFor CentOS/RHEL 7 and newer:
sudo systemctl restart sshdUsers can use any SSH client to connect to the target, as long as they are logged into the WARP client on their device. If the target is located within a particular virtual network, ensure that the WARP client is connected to that virtual network before initiating the connection. Users do not need to modify any SSH configs on their device. For example, to SSH from a terminal:
ssh <username>@<target IP>Access for Infrastructure also supports scp and rsync commands. Refer to Known limitations for a list of unsupported SSH commands and features.
To learn more about user connections, refer to the Access for Infrastructure documentation.
SSH command logs contain the actual SSH commands that a user ran on the target. Customers on all plans can store SSH logs on Cloudflare and download the logs from the dashboard. Downloadable logs are encrypted using a public key provided by the customer and are not visible to Cloudflare. Delivery of downloadable SSH logs is best effort; for guaranteed delivery, Enterprise customers can configure a Logpush job to send SSH logs to storage destinations. Logpush payloads are not encrypted with a customer-provided public key.
Follow these instructions to encrypt and download SSH command logs from Zero Trust.
To log SSH commands, you will need to generate an HPKE key pair and upload the public key to Cloudflare.
- 
Download ↗ the Cloudflare ssh-log-cliutility.
- 
Using the ssh-log-cliutility, generate a public and private key pair.Terminal window ./ssh-log-cli generate-key-pair -o sshkeylsREADME.md ssh-log-cli sshkey sshkey.pubThis command outputs two files, an sshkey.pubpublic key and a matchingsshkeyprivate key.
- 
In Zero Trust ↗, go to Settings > Network. 
- 
In SSH encryption public key, paste the contents of sshkey.puband select Save.
All proxied SSH commands are immediately encrypted using this public key. The matching private key is required to view logs.
To turn off SSH command logging, delete your uploaded public key:
- 
In Zero Trust ↗, go to Settings > Network > SSH encryption public key. 
- 
Select Remove. 
- 
Select Remove key to confirm. 
Cloudflare will stop logging SSH commands to your targets, as well as any commands subject to Gateway Audit SSH policies.
To delete the SSH encryption public key using the API:
Required API token permissions
 
At least one of the following token permissions 
is required:
- Zero Trust Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/audit_ssh_settings" \  --request PUT \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "public_key": ""  }'SSH command logs are not visible from the dashboard itself and must be exported and decrypted.
To manually retrieve logs:
- In Zero Trust ↗, go to Logs > Access.
- Select a user who was allowed to access the target.
- Select Download to download the session's command log.
- 
To decrypt the log, follow the instructions in the SSH Logging CLI repository ↗. In the following example, sshkeyis the private key that matches the public key uploaded to Cloudflare.Terminal window ./ssh-log-cli decrypt -i sshlog -k sshkeyThis command outputs a sshlog-decrypted.zipfile with the decrypted logs.
Cloudflare allows you to send SSH command logs to storage destinations configured in Logpush, including third-party destinations. For a list of available data fields, refer to the SSH logs dataset.
To set up the Logpush job, refer to Logpush integration.
The following SSH features are not supported:
- sftpcommands
- scpcommands that utilize OpenSSH versions > 9.0, because OpenSSH 9.0+ leverages- sftpto execute the command
- Local and remote port forwarding
- SSH agent forwarding
- X11 forwarding
SSH sessions have a maximum expected duration of 10 hours. For more information, refer to the Troubleshooting FAQ.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark