search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.24k stars 21.41k forks source link

Enable SSH on a custom container with OpenSSH v8.8 (App Service) #85349

Closed malandles closed 3 months ago

malandles commented 2 years ago

Problem

I believe this section is no longer valid as the connection from Azure Portal via the web ssh tool no longer works using the configuration described in this documentation.

When accessing https://<app-service-name>.scm.azurewebsites.net/webssh/host, the following error happens:

SSH CONNECTION CLOSE - Error: Handshake failed: no matching host key format

Solution

The most recent OpenSSH v8.8 release note mentions the following:

Potentially-incompatible changes

This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH implementations that have not been upgraded or have not closely tracked improvements in the SSH protocol. For these cases, it may be necessary to selectively re-enable RSA/SHA1 to allow connection and/or user authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms options. For example, the following stanza in ~/.ssh/config will enable RSA/SHA1 for host and user authentication for a single destination host:

Host old-host
     HostkeyAlgorithms +ssh-rsa
     PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy implementations can be upgraded or reconfigured with another key type (such as ECDSA or Ed25519).

So if we add the 2 lines from the release notes to the sshd_config, the SSH works again. Here is the valid config diff:

  #
  # /etc/ssh/sshd_config
  #

  Port                     2222
  ListenAddress            0.0.0.0
  LoginGraceTime           180
  X11Forwarding            yes
  Ciphers                  aes128-cbc,3des-cbc,aes256-cbc
  MACs                     hmac-sha1,hmac-sha1-96
+ HostkeyAlgorithms        +ssh-rsa
+ PubkeyAcceptedAlgorithms +ssh-rsa
  StrictModes              yes
  SyslogFacility           DAEMON
  PasswordAuthentication   yes
  PermitEmptyPasswords     no
  PermitRootLogin          yes
  Subsystem                sftp internal-sftp

Now I get a SSH CONNECTION ESTABLISHED!

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Grace-MacJones-MSFT commented 2 years ago

Hi @malandles, thanks for bringing this to our attention. I have assigned the issue to the content author to evaluate and update this doc as appropriate

cephalin commented 2 years ago

need-sme-input (verify customer suggested changes)

btardif commented 2 years ago

@denvermb can you take a look and help @cephalin

btardif commented 2 years ago

taken-by:denvermb

cephalin commented 4 months ago

reassign:msangapu-msft

msangapu-msft commented 3 months ago

Thank you for your feedback. We've added this to our backlog to prioritize. #please-close