[BUG] token_type ssh-cert is not supported by this version of Azure Portal

[renatopagan]

To Reproduce

Commands you ran
az ssh arc --resource-group RG-Test --name ubuntu2

## Observed Behavior
Error:
A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'cc-98b7850f-c555cf4b5-dsfpn'
token_type ssh-cert is not supported by this version of Azure Portal
Please explicitly log in with:
az login --scope https://pas.windows.net/CheckMyAccess/Linux/.default

Include error output here
A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'cc-98b7850f-c555cf4b5-dsfpn'
token_type ssh-cert is not supported by this version of Azure Portal
Please explicitly log in with:
az login --scope https://pas.windows.net/CheckMyAccess/Linux/.default

## Expected behavior
WE expect the command to run directly.

A clear description of what you expected to happen instead.

## Is this specific to Cloud Shell?
This is specific to Cloud Shell

## Interface information
https://portal.azure.com

## Additional context
I'm creating this issue based on the info from this blog:
https://edyoung.github.io/blog/cloud_shell_auth/

[maertendMSFT]

@renatopagan, looks like you are trying to use AAD auth when using the az ssh arc command. This is currently not available by default, but we are actively working on adding it. In the meantime, this should work by running an az login before az ssh.

Let me know if this resolves the issue.

[robins1212]

@renatopagan Azure Portal has further rolled out the change necessary to use az ssh arc, could you try again and see if the issue still exists?

[R-LIBIN]

same error,

token_type ssh-cert is not supported by this version of Azure Portal Please explicitly log in with: az login --scope https://pas.windows.net/CheckMyAccess/Linux/.default

[cooky667]

I've also received this error. Using the command:

az ssh vm --ip 10.0.0.4

Receiving the error:

A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'SandboxHost-637999821715982110' token_type ssh-cert is not supported by this version of Azure Portal Please explicitly log in with: az login --scope https://pas.windows.net/CheckMyAccess/Linux/.default

I'm using cloud shell within a virtual network as described here:

https://learn.microsoft.com/en-us/azure/cloud-shell/private-vnet

Happy to assist with any further testing if its useful :)

[maertendMSFT]

Are you still seeing this issue? I cannot repo, this should be resolved

[rc87448]

@maertendMSFT - I've only just come back to trying this again after a break

I have experienced this working previously, however, I now seem to be running into the same issue.

Either I get the same error as above, or the command completely stalls and does not seem to timeout. This afternoon I've also raised a support ticket with MS for the behaviour so if this turns out to be user error and/or a configuration error I will post back here.

[R-LIBIN]

Had a great trouble doing this and had to move to a system assigned identity.

On Fri, Jan 13, 2023 at 11:40 PM Richard Cooke @.***> wrote:

@maertendMSFT https://github.com/maertendMSFT - I've only just come back to trying this again after a break

I have experienced this working previously, however, I now seem to be running into the same issue.

Either I get the same error as above, or the command completely stalls and does not seem to timeout. This afternoon I've also raised a support ticket with MS for the behaviour so if this turns out to be user error and/or a configuration error I will post back here.

— Reply to this email directly, view it on GitHub https://github.com/Azure/CloudShell/issues/203#issuecomment-1382210825, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEBCZFK6A5NTLCBUJRHOFHLWSGLCXANCNFSM5YO3FYKQ . You are receiving this because you commented.Message ID: @.***>

[maertendMSFT]

System assigned managed identity is a requirement for AAD auth: https://learn.microsoft.com/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux#virtual-machine

Can you confirm that you have the pre-requisites from the link above?

[R-LIBIN]

This is still there..

On Fri, 20 Jan, 2023, 12:01 am Danny Maertens, @.***> wrote:

System assigned managed identity is a requirement for AAD auth: https://learn.microsoft.com/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux#virtual-machine

Can you confirm that you have the pre-requisites from the link above?

— Reply to this email directly, view it on GitHub https://github.com/Azure/CloudShell/issues/203#issuecomment-1397430585, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEBCZFPFF5E4LFWWD2Z2733WTGCAFANCNFSM5YO3FYKQ . You are receiving this because you commented.Message ID: @.***>

[rc87448]

System assigned managed identity is a requirement for AAD auth: https://learn.microsoft.com/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux#virtual-machine

Can you confirm that you have the pre-requisites from the link above?

Yes, confirmed. Have been through the guide a few times to make sure :)

Happy to share more detail if its helpful? I've tried with a Centos 7 vm and a Ubuntu 18 vm (i've also tried some others but just calling those out as examples).

[rc87448]

Interestingly (this could be a coincidence as I haven't exactly tested extensively), I have just tried this again using the preview portal and it worked:

https://preview.portal.azure.com

I was able to successfully authenticate to my VMs using cloudshell and AAD SSH. I will try again over the next few days and see if this just a coincidence or not.

[R-LIBIN]

Hi Richard ,

Things were actually going good.

Recently, past some time it's not so going well.

Thank you.

Please feel free to reach out or for any queries.

Regards , Libin

On Tue, 24 Jan, 2023, 7:52 pm Richard Cooke, @.***> wrote:

Interestingly (this could be a coincidence as I haven't exactly tested extensively), I have just tried this again using the preview portal and it worked:

https://preview.portal.azure.com

I was able to successfully authenticate to my VMs using cloudshell and AAD SSH. I will try again over the next few days and see if this just a coincidence or not.

— Reply to this email directly, view it on GitHub https://github.com/Azure/CloudShell/issues/203#issuecomment-1402030468, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEBCZFL5JGSR4NH6QWQPO5DWT7QRHANCNFSM5YO3FYKQ . You are receiving this because you commented.Message ID: @.***>

[rc87448]

This is what I have found so far:

I'm using Azure cloud shell within an isolated vnet Im accessing the Azure portal 'https://portal.azure.com' using Chrome from a macbook When I access cloud shell from portal.azure.com and attempt to ssh to a VM using the command 'az ssh vm --ip 172.16.10.4' (remember cloudshell is in a vnet hence the private ip) I get the below error:

PS /home/richard> az ssh vm --ip 172.16.10.4 A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'SandboxHost-638101644182627714' token_type ssh-cert is not supported by this version of Azure Portal Please explicitly log in with: az login --scope https://pas.windows.net/CheckMyAccess/Linux/.default

######################################################################################

When I close my browser completely and reopen - don't open a new tab, completely close and reopen. I connect to the Azure portal preview 'https://preview.portal.azure.com/' When I access cloud shell from preview.portal.azure.com and attempt to ssh to a VM using the command 'az ssh vm --ip 172.16.10.4' (remember cloudshell is in a vnet hence the private ip). I am able to connect to the VM successfully as expected.

Closing and reopening the browser seems important. If I just open the preview portal in a new tab it doesn't work. I'd be interested if others get a similar result.

[R-LIBIN]

Despite, doing relative research there is no quantitative result from

my end.

On Tue, Jan 24, 2023 at 8:40 PM Richard Cooke @.***> wrote:

This is what I have found so far:

I'm using Azure cloud shell within an isolated vnet Im accessing the Azure portal 'https://portal.azure.com' using Chrome from a macbook When I access cloud shell from portal.azure.com and attempt to ssh to a VM using the command 'az ssh vm --ip 172.16.10.4' (remember cloudshell is in a vnet hence the private ip) I get the below error:

PS /home/richard> az ssh vm --ip 172.16.10.4 A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'SandboxHost-638101644182627714' token_type ssh-cert is not supported by this version of Azure Portal Please explicitly log in with: az login --scope https://pas.windows.net/CheckMyAccess/Linux/.default

######################################################################################

When I close my browser completely and reopen - don't open a new tab, completely close and reopen. I connect to the Azure portal preview 'https://preview.portal.azure.com/' When I access cloud shell from preview.portal.azure.com and attempt to ssh to a VM using the command 'az ssh vm --ip 172.16.10.4' (remember cloudshell is in a vnet hence the private ip). I am able to connect to the VM successfully as expected.

Closing and reopening the browser seems important. If I just open the preview portal in a new tab it doesn't work. I'd be interested if others get a similar result.

— Reply to this email directly, view it on GitHub https://github.com/Azure/CloudShell/issues/203#issuecomment-1402103448, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEBCZFOLYCT72G7WAV7C7STWT7WGVANCNFSM5YO3FYKQ . You are receiving this because you commented.Message ID: @.***>