Browser SSH via Cloudflare Tunnel

Open a full SSH terminal to the NAS from any browser, anywhere — no client, no keys, no VPN. Email OTP via Cloudflare Access drops you straight into a shell.

growing
#homelab

How it works

Visit https://ssh.tinkerer.tools. Cloudflare Access prompts for email and sends a one-time code. After OTP, Cloudflare issues a short-lived SSH certificate (no long-lived keys) and the browser renders a terminal logged in as info — a UID alias for ignacio.

Cloudflare side

  • Tunnel public hostname: ssh.tinkerer.toolsssh://192.168.84.54:22
  • Access application: self-hosted, domain ssh.tinkerer.tools, one-time PIN auth, session duration 24h
  • Browser rendering: SSH enabled, automatic cloudflared authentication on
  • Short-lived certificate: Access → Service Auth → SSH, scoped to the SSH app

NAS side

All SSH config goes in TrueNAS UI → System Settings → Services → SSH → Auxiliary Parameters. Never edit /etc/ssh/sshd_config directly — TrueNAS regenerates it.

TrustedUserCAKeys /mnt/tank/config/ssh/ca.pub
AuthorizedPrincipalsCommand /usr/bin/echo "info"
AuthorizedPrincipalsCommandUser nobody
CASignatureAlgorithms ecdsa-sha2-nistp256
PubkeyAcceptedAlgorithms +ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com
MACs hmac-sha2-512
ClientAliveInterval 300
ClientAliveCountMax 3

The CA key (Cloudflare’s ecdsa-sha2-nistp256) lives at /mnt/tank/config/ssh/ca.pub — on the data pool, because TrueNAS wipes unknown files in /etc/ssh/ on restarts.

The Unix user info is a UID alias for ignacio, required because Cloudflare’s browser terminal uses the email prefix (info from info@tinkerer.tools) as the SSH username:

sudo useradd -o -u 3000 -g 3000 -d /mnt/tank/home/ignacio -s /bin/bash info

ClientAliveInterval 300 overrides TrueNAS’s 15-second default that kills idle browser sessions after ~45 seconds.

Gotchas

ProblemCauseFix
Unable to connect to originTunnel service type was http://Changed to ssh:// in tunnel config
Browser login loop after OTPNo Unix user matching email prefixCreated info as UID alias for ignacio
Certificate does not contain an authorized principalAuthorizedPrincipalsFile wiped by TrueNASSwitched to AuthorizedPrincipalsCommand — no file to lose
ca.pub disappearing after restartsTrueNAS regenerates /etc/ssh/Moved CA key to /mnt/tank/config/ssh/ca.pub
info user disappearingTrueNAS regenerates /etc/passwd on user config changesRecreate with useradd -o -u 3000 ...; avoid editing users in UI after setup
If it breaks, check these three things
id info                              # user exists?
cat /mnt/tank/config/ssh/ca.pub      # CA key intact?
sudo grep TrustedUserCAKeys /etc/ssh/sshd_config  # config has our lines?

Anything UI-driven in TrueNAS (user edits, service restarts) can wipe one of these.