vscode-remote-release icon indicating copy to clipboard operation
vscode-remote-release copied to clipboard
verified publisher icon microsoft

Improve SSH using Azure AD authentication

Open bpasham opened this issue 4 years ago • 8 comments

We are trying to implement remote development model with project specific VMs in Azure and allow users to connect from VS code using Azure AD authentication with MFA. It works great with Public keys but not with Azure AD authentication.

There were some recommendations of disabling localserver option and enable console, so users can click on the device login link and enter code. However, that model is deprecated by Microsoft. So option currently usable is using az ssh module (or something I couldn't find)

https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux

Appreciate any guidance on how to configure authentication for this model

bpasham avatar Oct 14 '21 15:10 bpasham

https://github.com/microsoft/vscode-remote-release/issues/2538

roblourens avatar Oct 18 '21 21:10 roblourens

@roblourens - this is not duplicate. It is a similar issue. #2538 is no longer relevant as Microsoft deprecated the method - documented here - whereas the problem I am referring to is the new method Microsoft introduced, which requires VSCode remote to work with Azure CLI command az ssh and the login process documented here

bpasham avatar Oct 19 '21 12:10 bpasham

Thanks for the details

roblourens avatar Oct 19 '21 22:10 roblourens

@bpasham Don't these instructions work? https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux#exporting-ssh-configuration-for-use-with-ssh-clients-that-support-openssh

az ssh config --file ~/.ssh/config --ip <your IP>

Should set up the same SSH config file VS Code uses. From there you can open in Remote - SSH.

Chuxel avatar Oct 27 '21 23:10 Chuxel

@Chuxel - they work for one session.. doesn't persist between sessions. A ps script with the following sequence should work - if launched from PowerShell .. not from vscode Az login Az account set subscription Az ssh config Code .

This launched the code and remote will initiate with he generated cert in the ssh config step... Problem is that a record will be added to the config file each time.. and creates an unreliable process

A more reliable process is required..that can cleanup on exit or persist cert longer and detect when cert is expired and go for reauthentication.

bpasham avatar Oct 28 '21 00:10 bpasham

@bpasham, but what happens when the key is expired? Do I need to regenerate the key every 60 minutes?

snnn avatar Dec 07 '21 03:12 snnn

@bpasham, but what happens when the key is expired? Do I need to regenerate the key every 60 minutes?

I think so. I wonder how other authentication schemes are working ...

bpasham avatar Dec 07 '21 03:12 bpasham

I am sure I am missing technical details here, but would it be feasible to leverage this extension alongside the Microsoft-Account extension? https://github.com/microsoft/vscode/tree/main/extensions/microsoft-authentication

The Microsoft Account extension should be able to utilize refresh tokens to keep the jwt active (similar to azure-cli and other tools) and avoid the re-signin each hour.

Additionally, if this extension added an Entra ID specific ssh option; it would greatly streamline usage. Basically it would need to run this command and verify that azure-cli is installed on the workstation.

az ssh vm --ip <remote IP>

rybal06 avatar Aug 20 '24 17:08 rybal06