azure-xplat-cli icon indicating copy to clipboard operation
azure-xplat-cli copied to clipboard
verified publisher icon Azure

Add SSH key to an existing VM ?

Open matti opened this issue 9 years ago • 20 comments

CLI Version: 0.10.2 Mode: ARM Environment: AzureCloud

Description: How to add SSH key to a VM?

matti avatar Aug 05 '16 09:08 matti

checkout vm reset-access

yugangw-msft avatar Aug 05 '16 15:08 yugangw-msft

So only replace, no add?

matti avatar Aug 05 '16 16:08 matti

@huangpf - Is there a plan to support adding more ssh keys to a vm?

amarzavery avatar Aug 05 '16 21:08 amarzavery

it should support add

yugangw-msft avatar Aug 11 '16 00:08 yugangw-msft

I think this is a duplicate of #3199

huangpf avatar Sep 26 '16 16:09 huangpf

+1: long thread discussing the fact that you think vmaccess command will do this, but instead assumes adding keys to the same user means replace that user's key, which it does not. We need the command to enable ADDING KEYS to any existing user. There are several legitimate scenarios in which users have more than one acceptable key.

squillace avatar Oct 06 '16 17:10 squillace

@huanpf I don't this is a duplicate of that?

matti avatar Oct 06 '16 19:10 matti

@huangpf @squillace - #3199 is for adding a secret, not a SSH Key. Is this still a duplicate then?

mayurshintre avatar Nov 21 '16 20:11 mayurshintre

@mayurshintre

  1. As I do not know the functional behavior of the specified PS call, I cannot say whether this is a dupe.
  2. This issue is specific: Adding multiple keys with a single user name is a common Linux scenario. Current behavior destroys the user and recreates it with a new key. This surprised many customers, and it isn't what was expected in any way.

squillace avatar Nov 21 '16 23:11 squillace

Add-AzureRmVMSecret is just adding the key reference into the VM's OS profile, nothing more than that. So, I think it's a duplicate. azure vm reset-access for Linux VM is not owned by Compute team, and it's by the Azure Linux team who manages the reset-access extension. Please contact them if you need another fix there. Close this one for now. Please refer to: https://github.com/Azure/azure-xplat-cli/issues/3199

huangpf avatar Nov 23 '16 00:11 huangpf

oh microsoft.

matti avatar Nov 23 '16 05:11 matti

@matti The issue is still being tracked. I'm just closing the duplicate one. Thanks.

huangpf avatar Nov 23 '16 05:11 huangpf

@haungpf: I just saw this as the other one was closed. THAT issue adds a cert to the osprofile -- great.

HOWEVER, this issue is not a CRP issue, nor is it a reset-access issue, it is an azure-xplat-cli issue: I want reset-access FIXED to do the right thing. I do not care who does the engineering internally; where in the world would I file THAT issue if I were outside the firewall?

at the least an appropriate response would be to leave this issue open, as I've reopened it, and connect it with a new issue (https://github.com/Azure/azure-linux-extensions/issues/295). Now you're free to reclose this, but from the customers' point of view this is a CLI problem -- a microsoft problem. We need to figure out how to achieve the solution somehow.

squillace avatar Dec 16 '16 23:12 squillace

The title and your summary seem to be ambiguous, so that's misleading to what's the right resolution.

CRP API does allow users to install secret resources (i.e. keys) in the cloud to the VM, but users would need to first figure out how to put those resources in the cloud (i.e. using KeyVault APIs). If the problem is about the latter part, it's a general CLI problem, or KeyVault's.

Adding a key to the VM is not equivalent to resetting the access. azure vm reset-access is a hack in doing so, adding more confusion here. This should be discussed separately.

huangpf avatar Dec 16 '16 23:12 huangpf

@amarzavery please help take a look from overall CLI's point of view. I'm adding more tags to this issue, as it needs multiple-party's triage.

huangpf avatar Dec 16 '16 23:12 huangpf

@huangpf happy to help clarify, and @vlivech to keep me sane. The title "Add SSH key to an existing VM" is about using the azure vm reset-access command to add a NEW public key file to a currently existing VM. Not the osprofile. Not keyvault. to the running VM, in the authorized_users directory for username.

Typically this would be over SSH, or ssh-copy-id -i ~/.ssh/id_rsa.pub ahmet@myserver. But if you have rights to the VM but not the original key, you want to use azure vm reset-access to do so. It is in fact documented as a standalone ability:

help:      -M, --ssh-key-file <ssh-key-file>      path to public key PEM file or SSH Public key file for SSH authentication (valid only when os-type is "Linux")

of course, it doesn't say what ELSE should happen here in order to ADD the key I provide to the currently running VM I'm targeting. But the result needs to be that if I specify a user that already exists, and there's a key already there, this one needs to be added to the directory.

You'll note that in https://github.com/Azure/azure-linux-extensions/issues/295, @boumenot believes that using azure vm set-extensions it works properly -- he'll look, of course -- but if he's right, then reset-access is broken.

It's one or the other, OR: I'm totally wrong about the behavior. I will always concede that I've done something wrong, but three people on my team confirmed this behavior, so a bunch of us are misunderstanding how this is supposed to work. In which case, something else completely is wrong. :-)

squillace avatar Dec 17 '16 00:12 squillace

@squillace you are indeed sane.

I own a VM and have root perms to it. I then lose, rm -rf ~/.ssh/azure_id_rsa my private key by accident and since I am a good SysAdmin following the SysAdmin bible, I have disabled SSH Password logins. I need azure vm reset-access to connect to the VM for me and add a public key file to the ~/.ssh/authorized_keys file. I would do this myself using ssh-copy-id but I lost the private key and passwords are disabled. If I cannot use azure vm reset-access then the VM is perma locked and must be killed.

TLDR; azure vm reset-access is a emergency only method to connect to a Linux VM I have rights to, and add in a SSH public key to ~/.ssh/authorized_keys. Add meaning cat >> ~/.ssh/authorized_keys which adds the public key to the end of the file while not touching any other keys in the file.

e30chris avatar Dec 17 '16 00:12 e30chris

The problem needs to be well defined in order to find the most accurate solution. What you describe is about the linux VM extension reset-access and its supportive commands. If that's what you need, please let the repo admin to route you to the Azure Linux team for triage & fix.

reset-access command is a specialized extension command, and set-extensions is a generic one that works for all extensions. It's likely that specialized commands may have some stale code that block the new scenarios, while the generic ones are always usable for all. If you can find PS/CLI2 or any client side tools that work for that use case using the extension APIs, capture the request/response payloads and compare to here to see what's wrong. But again, this is not owned or known by Compute team about how to solve. I'm making my suggestions for you to find the best owner and solution.

Like you said, it's not a CRP issue, so I'm going to remove the IaaS tag, and let you focus on the extension part.

IMO, title needs to reflect the extension focused asks.

huangpf avatar Dec 17 '16 05:12 huangpf

Yes, this is about the behavior of azure vm reset-access. I am filling the issue against the CLI. Please route as is appropriate.

squillace avatar Dec 18 '16 19:12 squillace

FYI the behavior of reset access with SSH keys actually "adds" the key to the authorized keys, not replace https://github.com/MicrosoftDocs/azure-docs/pull/6044

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/vmaccess#update-ssh-key

cicorias avatar Aug 23 '18 18:08 cicorias