azure-cli-extensions icon indicating copy to clipboard operation
azure-cli-extensions copied to clipboard

Published 20 hours ago verified publisher icon Azure

az network bastion ssh + AAD fails with "WARNING: UNPROTECTED PRIVATE KEY FILE!"

Open ckittel opened this issue 1 year ago • 18 comments

Describe the bug

When using az network bastion ssh --auth-type AAD the SSL certificate is automatically added to /tmp/aadsshcert... but the file permissions are set such that OpenSSH 8.2 fails with

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/tmp/aadsshcert23cd5o7q/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

which means the connection cannot be established.

I know the bastion command delegates this work to the ssh extension, so this is probably more of an issue for the ssh extension authors to address.

Related command

az network bastion ssh --auth-type AAD

Errors

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/tmp/aadsshcert23cd5o7q/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

Issue script & Debug output

cli.azext_ssh.ssh_utils: Running ssh-keygen command ssh-keygen -f /tmp/aadsshcert23cd5o7q/id_rsa -t rsa -q -N 
...
cli.azext_bastion.custom: Running ssh command /usr/bin/ssh [email protected]@localhost -i /tmp/aadsshcert23cd5o7q/id_rsa -o CertificateFile=/tmp/aadsshcert23cd5o7q/id_rsa.pub-aadcert.pub -p 34457 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=Error

Expected behavior

The generated id_rsa file is set to permissions of 600.

As a bonus, I think it could even to set to 400 since this directory is transient by nature. The temp directory (aadsshcert23cd5o7q in this specific example above) could even be set to 700 as well for added security/intent hygiene.

Environment Summary

azure-cli                         2.49.0

core                              2.49.0
telemetry                          1.0.8

Extensions:
bastion                            0.2.4
resource-graph                     2.1.0
ssh                                1.1.6

Dependencies:
msal                              1.20.0
azure-mgmt-resource               22.0.0

Additional context

No response

ckittel avatar Jun 14 '23 14:06 ckittel