az ssh: Configurable certificate lifetime

[evenh]

• If the issue is to do with Azure CLI 2.0 in-particular, create an issue here at Azure/azure-cli

Extension name (the extension in question)

az ssh

Description of issue (in as much detail as possible)

As I'm migrating from the legacy AAD SSH login scheme, I can't quite understand if/how to configure when the issued SSH certificates expire. I asssume this is (partially) configured in Azure AD but I'm lacking the detailed knowledge on where to configure this.

More details in the relevant documentation would be greatly appreciated in addition to possibly more flags in az ssh to configure SSH certificate lifetime.

[yonzhan]

ssh

[N6UDP]

@evenh These default to an hour and are currently not configurable -- you can view this yourself by inspecting the created certificate (either via the cert/config options) or by finding the temp file written by the vm e.g.

for i in `find /tmp/aadsshcert* | grep aadcert`; do ssh-keygen -L -f $i;done
/tmp/aadsshcertoezhfk5m/id_rsa.pub-aadcert.pub:
<snip>
        Valid: from 2021-07-21T18:43:26 to 2021-07-21T19:48:26
<snip>

If you used your own public key for signing (e.g. one bound to a hardware token etc) you'll find the -aadcert.pub file in the same directory as the public key. JW - Are you looking for tokens that are shorter or longer lived?

[evenh]

Thanks for thorough reply. This matches what I see. I would really like to have this configurable to 12h, since that's the lifetime of our 'az' session. The best option for us would to be able to have these in sync but I recognize that it may be out of scope for this project.

[evenh]

Any progress here @N6UDP?

[ML-Guy]

Is it possible to have longer validity duration certificates? I am also looking for 12-24 hour validity.

[maertendMSFT]

Is this what you are looking to do? Change the token lifetime of an Azure AD application

[lejorge]

I'm also looking for a way to set the time for the SSH certificate that is generated. Ideally, the option to set different durations for the AZ Roles of Virtual Machine Administrator Login and Virtual Machine User Login would be great.

@maertendMSFT That's kind of close, but in the script, it appears that the token life is for an application. What we're looking for is a way to change the default 1 hour validity period for an SSH certificate generated by the command az ssh config --file ~/.ssh/config -n myVM -g AzureADLinuxVM in the documentation on connecting Linux VMs to Azure AD for login.

[michetonu]

I'm having the same problem, I'd love a solution!

[bateskevin]

Is there an update here? I would also like a solution for this problem.

[KenBenjamin]

If we could add a pre-flight command before it runs ssh.exe, that could allow us to refresh the certificates, for example: echo y | az ssh config --ip * --file .ssh/config

I'm proposing a new setting: Remote.SSH: Preflight An absolute path to an executable that runs prior to each ssh connection.

I've tried incorporating that into the Remote.SSH: Path setting but it's complicated given all the possible parameters being passed. If I get it working, I'll post that solution here.

Note the echo y | is to work around this bug.

[simoelmou]

Is there an update please? I would also like a solution for this problem.