search

Azure / azure-cli-extensions

Public Repository for Extensions of Azure CLI.
https://docs.microsoft.com/en-us/cli/azure
MIT License
380 stars 1.19k forks source link

az ssh vm problem with Portal ssh configuration reset #5270

Open rodrigobrochado opened 2 years ago

rodrigobrochado commented 2 years ago

Related command

az ssh vm -n myVM -g dev

Extension name (the extension in question)

ssh

Description of issue (in as much detail as possible)

A coleague was having problem accessing a Linux VM with az cli plugin, although I could access the VM by both azure cli and my host ssh (using manually added ssh pub key on VM on "ubuntu" user) I followed this troubleshooting and I reset the VM SSH configuration in Azure Portal (Virtual Machines -> select the VM in question -> Reset password -> "Reset configuration only" -> Update). After that no one was capable to access the VM with az ssh vm anymore.

I then run the ssh extension with the debug option and could check that everything was working fine at the AD authentication with Azure and the temporary certificate generation. The problem was when trying to ssh the VM with the temporary ssh certificate created.

I then checked the /var/log/auth.log on remote and it was printing the following:

Aug 24 18:29:02 influx-test sshd[2756]: rexec line 18: Deprecated option UsePrivilegeSeparation
Aug 24 18:29:02 influx-test sshd[2756]: rexec line 21: Deprecated option KeyRegenerationInterval
Aug 24 18:29:02 influx-test sshd[2756]: rexec line 22: Deprecated option ServerKeyBits
Aug 24 18:29:02 influx-test sshd[2756]: rexec line 33: Deprecated option RSAAuthentication
Aug 24 18:29:02 influx-test sshd[2756]: rexec line 41: Deprecated option RhostsRSAAuthentication
Aug 24 18:29:03 influx-test sshd[2756]: reprocess config line 33: Deprecated option RSAAuthentication
Aug 24 18:29:03 influx-test sshd[2756]: reprocess config line 41: Deprecated option RhostsRSAAuthentication
Aug 24 18:29:04 influx-test sshd[2756]: Connection closed by authenticating user rodrigo.brochado@predito.com.br 192.140.41.80 port 51525 [preauth]
Aug 24 18:29:06 influx-test sshd[2760]: rexec line 18: Deprecated option UsePrivilegeSeparation
Aug 24 18:29:06 influx-test sshd[2760]: rexec line 21: Deprecated option KeyRegenerationInterval
Aug 24 18:29:06 influx-test sshd[2760]: rexec line 22: Deprecated option ServerKeyBits
Aug 24 18:29:06 influx-test sshd[2760]: rexec line 33: Deprecated option RSAAuthentication
Aug 24 18:29:06 influx-test sshd[2760]: rexec line 41: Deprecated option RhostsRSAAuthentication
Aug 24 18:29:06 influx-test sshd[2760]: error: kex_exchange_identification: Connection closed by remote host

I figured that the SSH configuration reset broke something and was probably not accepting the type of temporary key generated by az ssh. I found a backup file for /etc/ssh/sshd_config on the same /etc/ssh/ folder and restore it. Reload the sshd service and az ssh vm login was working again. I later found that my colleague was having internet problems.

My questions are: 1) Shouldn't az ssh extension report that the remote ssh server is rejecting the connection with certificates, even more if we are using the az ssh vm with "AAD issued certificates" option? 2) How could I report this bug of the "Reset SSH Configuration" in Azure Portal?

The correct_config.txt and bugged_config.txt sshd_config files.

yonzhan commented 2 years ago

route to CXP team

navba-MSFT commented 1 year ago

Adding Service team to look into this.