azure-cli-extensions icon indicating copy to clipboard operation
azure-cli-extensions copied to clipboard

Published 20 hours ago verified publisher icon Azure

az ssh: Configurable certificate lifetime

Open evenh opened this issue 3 years ago • 11 comments

  • If the issue is to do with Azure CLI 2.0 in-particular, create an issue here at Azure/azure-cli

Extension name (the extension in question)

az ssh

Description of issue (in as much detail as possible)

As I'm migrating from the legacy AAD SSH login scheme, I can't quite understand if/how to configure when the issued SSH certificates expire. I asssume this is (partially) configured in Azure AD but I'm lacking the detailed knowledge on where to configure this.

More details in the relevant documentation would be greatly appreciated in addition to possibly more flags in az ssh to configure SSH certificate lifetime.

evenh avatar Jun 29 '21 06:06 evenh

ssh

yonzhan avatar Jun 29 '21 12:06 yonzhan

@evenh These default to an hour and are currently not configurable -- you can view this yourself by inspecting the created certificate (either via the cert/config options) or by finding the temp file written by the vm e.g.

for i in `find /tmp/aadsshcert* | grep aadcert`; do ssh-keygen -L -f $i;done
/tmp/aadsshcertoezhfk5m/id_rsa.pub-aadcert.pub:
<snip>
        Valid: from 2021-07-21T18:43:26 to 2021-07-21T19:48:26
<snip>

If you used your own public key for signing (e.g. one bound to a hardware token etc) you'll find the -aadcert.pub file in the same directory as the public key. JW - Are you looking for tokens that are shorter or longer lived?

N6UDP avatar Jul 22 '21 02:07 N6UDP

Thanks for thorough reply. This matches what I see. I would really like to have this configurable to 12h, since that's the lifetime of our 'az' session. The best option for us would to be able to have these in sync but I recognize that it may be out of scope for this project.

evenh avatar Jul 22 '21 06:07 evenh

Any progress here @N6UDP?

evenh avatar Sep 20 '21 09:09 evenh

Is it possible to have longer validity duration certificates? I am also looking for 12-24 hour validity.

ML-Guy avatar Jun 22 '22 08:06 ML-Guy

Is this what you are looking to do? Change the token lifetime of an Azure AD application

maertendMSFT avatar Jul 06 '22 21:07 maertendMSFT

I'm also looking for a way to set the time for the SSH certificate that is generated. Ideally, the option to set different durations for the AZ Roles of Virtual Machine Administrator Login and Virtual Machine User Login would be great.

@maertendMSFT That's kind of close, but in the script, it appears that the token life is for an application. What we're looking for is a way to change the default 1 hour validity period for an SSH certificate generated by the command az ssh config --file ~/.ssh/config -n myVM -g AzureADLinuxVM in the documentation on connecting Linux VMs to Azure AD for login.

lejorge avatar Jul 07 '22 22:07 lejorge

I'm having the same problem, I'd love a solution!

michetonu avatar Jan 23 '23 12:01 michetonu

Is there an update here? I would also like a solution for this problem.

bateskevin avatar Nov 16 '23 09:11 bateskevin

If we could add a pre-flight command before it runs ssh.exe, that could allow us to refresh the certificates, for example: echo y | az ssh config --ip * --file .ssh/config

I'm proposing a new setting: Remote.SSH: Preflight An absolute path to an executable that runs prior to each ssh connection.

I've tried incorporating that into the Remote.SSH: Path setting but it's complicated given all the possible parameters being passed. If I get it working, I'll post that solution here.

Note the echo y | is to work around this bug.

KenBenjamin avatar Dec 04 '23 13:12 KenBenjamin

Is there an update please? I would also like a solution for this problem.

simoelmou avatar Jan 25 '24 14:01 simoelmou