Open ckittel opened 1 year ago
Thank you for opening this issue, we will look into it.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.
Author: | ckittel |
---|---|
Assignees: | - |
Labels: | `bug`, `Network`, `Service Attention`, `needs-team-attention`, `Network - Bastion`, `Auto-Assign`, `Azure CLI Team` |
Milestone: | Backlog |
Non customer reported. Adding Service team to look into this.
@navba-MSFT how's this coming along?
Any updates to share? We are introducing a pretty significant workaround due to this in our customer-facing content -- would be great to simplify this back to a process that "just works" based on how it was designed to operate.
What's the decision here, @navba-MSFT? Any more information I can provide. Reach out to me on teams if you require a sync call.
@ckittel As mentioned above, this needs to be looked by Service team. Please follow-up with @aznetsuppgithub.
@aznetsuppgithub Please look into this on priority and reach out to @ckittel if you need any more information on this.
@ckittel reviewing now
I faced the same issue when using command: az network bastion ssh --name MyBastionName --resource-group MyGR --target-resource-id MyResourceID --auth-type AAD --debug
I modified line 348 in the following python script '%UserProfile%.azure\cliextensions\ssh\azextssh\custom.py'. To change the permission definition from '0o644' to '0o600' and this solved the permissions issue. .. --oschmod.set_mode(cert_file, 0o644) ++oschmod.set_mode(certfile, 0o600) ..
However, now I am faced with the dreaded 'invalid format' for the certificate file _Load key "%AppData%\Temp\aadsshxxxxx\idrsa.pub-aadcert.pub": invalid format
Strangely, this error does not occur with the first generated certificate file, only subsequent generated files, even though files are identical. Adding the exception to the sshd_config file does not help PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01@openssh.com CASignatureAlgorithms +ssh-rsa
When will we see support for ed25519 format?
@isamorris
reviewing now
Hey there Isabelle, what did your review yield?
@isamorris
are there any updates?
Any updates @yonzhan or @isamorris?
@vthiebaut10 can you take a look at this? This is likely a ssh extension issue as we can az ssh to generate the cert.
Hey there @vthiebaut10, what did you find when you took a look at this?
Thank you for your patience. This problem is currently being investigated here https://github.com/Azure/azure-cli/issues/28417
I'm currently out of office, and will continue the investigation as soon as I arrive. As a temporary workaround, the users in the other issue reported that downgrading Azure CLI fixes the issue.
Same issue for me
I shared a temporary workaround for this issue in the main issue: https://github.com/Azure/azure-cli/issues/28417
Thanks @vthiebaut10 for the workaround. This deeplink to the workaround mentioned above in Azure/azure-cli#28417 : https://github.com/Azure/azure-cli/issues/28417
Describe the bug
When using
az network bastion ssh --auth-type AAD
the SSL certificate is automatically added to/tmp/aadsshcert...
but the file permissions are set such that OpenSSH 8.2 fails withwhich means the connection cannot be established.
I know the bastion command delegates this work to the ssh extension, so this is probably more of an issue for the ssh extension authors to address.
Related command
az network bastion ssh --auth-type AAD
Errors
Issue script & Debug output
Expected behavior
The generated
id_rsa
file is set to permissions of600
.As a bonus, I think it could even to set to
400
since this directory is transient by nature. The temp directory (aadsshcert23cd5o7q
in this specific example above) could even be set to700
as well for added security/intent hygiene.Environment Summary
Additional context
No response