-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
az network bastion ssh + AAD fails with "WARNING: UNPROTECTED PRIVATE KEY FILE!" #6408
Comments
Thank you for opening this issue, we will look into it. |
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub. Issue DetailsDescribe the bugWhen using
which means the connection cannot be established. I know the bastion command delegates this work to the ssh extension, so this is probably more of an issue for the ssh extension authors to address. Related command
Errors
Issue script & Debug output
Expected behaviorThe generated As a bonus, I think it could even to set to Environment Summary
Additional contextNo response
|
Non customer reported. Adding Service team to look into this. |
@navba-MSFT how's this coming along? |
Any updates to share? We are introducing a pretty significant workaround due to this in our customer-facing content -- would be great to simplify this back to a process that "just works" based on how it was designed to operate. |
What's the decision here, @navba-MSFT? Any more information I can provide. Reach out to me on teams if you require a sync call. |
@ckittel As mentioned above, this needs to be looked by Service team. Please follow-up with @aznetsuppgithub. @aznetsuppgithub Please look into this on priority and reach out to @ckittel if you need any more information on this. |
@ckittel reviewing now |
I faced the same issue when using command: I modified line 348 in the following python script '%UserProfile%.azure\cliextensions\ssh\azext_ssh\custom.py'. To change the permission definition from '0o644' to '0o600' and this solved the permissions issue. However, now I am faced with the dreaded 'invalid format' for the certificate file Strangely, this error does not occur with the first generated certificate file, only subsequent generated files, even though files are identical. When will we see support for ed25519 format? |
Hey there Isabelle, what did your review yield? |
are there any updates? |
Any updates @yonzhan or @isamorris? |
@vthiebaut10 can you take a look at this? This is likely a ssh extension issue as we can az ssh to generate the cert. |
Hey there @vthiebaut10, what did you find when you took a look at this? |
Thank you for your patience. This problem is currently being investigated here Azure/azure-cli#28417 I'm currently out of office, and will continue the investigation as soon as I arrive. As a temporary workaround, the users in the other issue reported that downgrading Azure CLI fixes the issue. |
Same issue for me |
I shared a temporary workaround for this issue in the main issue: Azure/azure-cli#28417 |
Thanks @vthiebaut10 for the workaround. This deeplink to the workaround mentioned above in Azure/azure-cli#28417 : Azure/azure-cli#28417 |
Describe the bug
When using
az network bastion ssh --auth-type AAD
the SSL certificate is automatically added to/tmp/aadsshcert...
but the file permissions are set such that OpenSSH 8.2 fails withwhich means the connection cannot be established.
I know the bastion command delegates this work to the ssh extension, so this is probably more of an issue for the ssh extension authors to address.
Related command
az network bastion ssh --auth-type AAD
Errors
Issue script & Debug output
Expected behavior
The generated
id_rsa
file is set to permissions of600
.As a bonus, I think it could even to set to
400
since this directory is transient by nature. The temp directory (aadsshcert23cd5o7q
in this specific example above) could even be set to700
as well for added security/intent hygiene.Environment Summary
Additional context
No response
The text was updated successfully, but these errors were encountered: