az ssh vm is omitting ssh.exe output

[mvaferreira]

Client-side issue using 'az ssh vm' to connect to Linux using Azure AD user.

If you're trying to connect to ssh using Azure AD credentials (following https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux#login-using-azure-ad-user-account-to-ssh-into-the-linux-vm) through 'az ssh vm' cli command, you had it working before, then deleted the VM, created another VM with the same name (hostname), then 'az ssh vm' command will omit the output of C:\Windows\System32\OpenSSH\ssh.exe (haven't tested on Linux).

It should display "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" output, but instead, it just returns without any output.

This happens since VM was recreated, another SSH fingerprint is presented. SSH client will refuse connecting to the server.

To confirm this is the issue, try connecting using:

C:\Windows\System32\OpenSSH\ssh.exe userPrincipalName@ip <-- this will display the above message.

The following will display no output:

az ssh vm -n <vmname> -g <resourcegroupname>
az ssh vm --ip <private_or_public_ip>

Workaround is to fix or delete 'known_hosts' file at:

%userprofile%\.ssh\known_hosts

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 29a90500-fe23-5ae5-caad-9b897ed5ac6c
• Version Independent ID: 588d5bec-fcbe-75f9-5206-616746e61d5f
• Content: az ssh
• Content Source: latest/docs-ref-autogen/ssh.yml
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

[yonzhan]

route to service team

[bagajjal]

@mvaferreira - Thanks for reporting the issue. We will fix it soon. Another workaround is to pass the verbosity flag to know the actual problem, az ssh vm -n <machine-name> -g <resource-group> -- -v

[steinaw]

In addition to outputting the the error, is it also possible to output a message based on incorrect IAM permissions. If a user does not have login permissions (e.g. virtual machine user login), even using the -v option the only hint we get is a connection closed response. Can the cli check for permissions to the resource before attempting and provide a access denied message?

[istairbn]

Any update on this? It's an absolutely horrible end user experience. The underlying call (SSH) is giving a perfectly servicable error message, and az simply swallows it - doesn't even respond with a warning! Even experienced sysadmins are confused, because the CLI is just closing without any response.

Options:

1. Capture the error, bubble it up
2. Capture the error, return a custom warning
3. Capture the error, return a custom error

And if the recommended response is "pass -- -v" - can that please at least be added to the result of "az ssh vm --help" Even better, you could add this known issue to the help file for now, so end users have a chance.