Fail or verbosely warn about SSH key permissions when running Update-AksHci, Get-AksHciLogs, Get-MocLogs, etc

Azure / aksArc

# Welcome to the Azure Kubernetes Service enabled by Azure Arc (AKS Arc) repo This is where the AKS Arc team will track features and issues with AKS Arc. We will monitor this repo in order to engage with our community and discuss questions, customer scenarios, or feature requests. Checkout our projects tab to see the roadmap for AKS Arc!

MIT License

111 stars 45 forks source link

Fail or verbosely warn about SSH key permissions when running Update-AksHci, Get-AksHciLogs, Get-MocLogs, etc #193

Open eponerine opened 2 years ago

eponerine commented 2 years ago

Any Powershell cmdlet that requires SSH access will attempt to use the keys located in (Get-AksHciConfig).Moc.sshPrivateKey

However, as discussed in this Docs page, if a different user is attempting to run commands such as Get-AksHciLogs or Update-AksHci, it will "fail" in some shape or form due to permissions not being set for that user on the key:

Until a better solution is figured out for multiple Windows Users managing an AKS-HCI cluster, can we please perform a precheck on the SSH keys using information returned from Get-Acl ?

Side note... I am curious about the number of Customer Support tickets opened that are a result of silly things like this. I know I was recently burned by this and the only indication this was the problem was me digging thru Docs pages that mention it in passing. The cmdlets can def be improved to catch or warn the user first.

eponerine commented 1 year ago

Is there an update to this? This is still a problem even if you use the May 2023 release of AKS Hybrid!!!

eponerine commented 10 months ago

Bump bump bump?

Elektronenvolt commented 9 months ago

@eponerine I've seen exactly that issue in the screenshot a week ago at collecting logs with Get-AksHciLogs. The ssh key in my userprofile .ssh folder had been used and all other admins have permissions to it as well.

But, with newer setups, this is not an issue at all. I remember a short script or PS command to add multiple admins before adding them to the local administrator's group of the underlying Hyper-V hosts was enough. This smells like a leftover from that.

I 'fixed' it now by removing permissions of other users from my user's .ssh folder. On newer setups only my user has permissions at the .ssh folder in the userprofile - and we have multiple admins in place.

eponerine commented 9 months ago

Yeah that sounds correct. I think because we've recreated AKS deployment 100x, but never recreated the actual CSV or subfolders, its still an issue for us?

Elektronenvolt commented 9 months ago

On setups where multi admin works fine we never executed the previous "workaround script" - only added user accounts to a local administrators AD group. I think that's the reason why it works fine. And - with every clean re-install I also delete any remaining folders at the CSV or C drives. I had to 'fix' one older setup by removing other people's accounts permissions from my user's profile .ssh folder.