Subject: SSH with Access for Infrastructure - Permission denied despite Access policy allowing user
🛡️Zero Trust
On January 29, 2026, at approximately 20:45 UTC, I attempted to SSH into 10.70.81.184 (target hostname: claude-max-1-shared) using Access for Infrastructure. The SSH client returned Permission denied (publickey) despite the email prashanth.m@bdiplus.com being included in the Access policy.
Infrastructure Details
Target IP: 10.70.81.184
Target Hostname: claude-max-1-shared
Protocol: SSH
Port: 22
UNIX Username: prat
User Email: prashanth.m@bdiplus.com
Cloudflare Tunnel: claude-max-1-shared (Active, Healthy)
WARP Client: Connected, Gateway with WARP mode enabled
Reproduction Steps
User authenticates via WARP client (connected and verified)
User runs: ssh prat@10.70.81.184
Connection reaches server but fails with: Permission denied (publickey)
browser prompted appears (correct for Infrastructure SSH)
Timeline
First attempt: January 29, 2026 ~20:30 UTC
Timezone: UTC
Troubleshooting Attempts
Access Policy Verification:
Access policy includes prashanth.m@bdiplus.com
Policy allows SSH user prat
Access logs show Access granted decision
Tunnel Health:
Tunnel status: Healthy
4 connections active to Cloudflare global network
No degradation or downtime
User Existence on Server:
warp-cli status
Connecte
warp-cli target list
SSH Certificate Validation:
SSH connection reaches server
Certificate validation fails
Server rejects Cloudflare-issued certificate
Attachments
Jan 29 20:32:51: Connection closed by authenticating user prat ::1 port 59730 [preauth]
Jan 29 20:32:51 c]: debug1: do_cleanup [preauth]
Jan 29 20:32:51 ]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
PermitRootLogin yes
AuthorizedPrincipalsFile /etc/ssh/principals/%u
AllowUsers prat root
PasswordAuthentication yes
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
TrustedUserCAKeys /etc/ssh/ca.pub
LogLevel DEBUG3
AuthorizedKeysFile .ssh/authorized_keys
PubkeyAuthentication yes
AuthenticationMethods publickey
Infrastructure Details
Target IP: 10.70.81.184
Target Hostname: claude-max-1-shared
Protocol: SSH
Port: 22
UNIX Username: prat
User Email: prashanth.m@bdiplus.com
Cloudflare Tunnel: claude-max-1-shared (Active, Healthy)
WARP Client: Connected, Gateway with WARP mode enabled
Reproduction Steps
User authenticates via WARP client (connected and verified)
User runs: ssh prat@10.70.81.184
Connection reaches server but fails with: Permission denied (publickey)
browser prompted appears (correct for Infrastructure SSH)
Timeline
First attempt: January 29, 2026 ~20:30 UTC
Timezone: UTC
Troubleshooting Attempts
Access Policy Verification:Access policy includes prashanth.m@bdiplus.com
Policy allows SSH user prat
Access logs show Access granted decision
Tunnel Health:Tunnel status: Healthy
4 connections active to Cloudflare global network
No degradation or downtime
User Existence on Server:warp-cli status
Connecte
warp-cli target list
Output shows target with correct IP and username
SSH Certificate Validation:SSH connection reaches server
Certificate validation fails
Server rejects Cloudflare-issued certificate
Attachments
Jan 29 20:32:51: Connection closed by authenticating user prat ::1 port 59730 [preauth]
Jan 29 20:32:51 c]: debug1: do_cleanup [preauth]
Jan 29 20:32:51 ]: debug3: PAM: sshpam_thread_cleanup entering [preauth]
/etc/ssh/sshd_config
Port 22PermitRootLogin yes
AuthorizedPrincipalsFile /etc/ssh/principals/%u
AllowUsers prat root
PasswordAuthentication yes
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
TrustedUserCAKeys /etc/ssh/ca.pub
LogLevel DEBUG3
AuthorizedKeysFile .ssh/authorized_keys
PubkeyAuthentication yes
AuthenticationMethods publickey
Welcome to the official Cloudflare Developers server. Here you can ask for help and stay updated with the latest news
85,042Members
Resources
Was this page helpful?
