Open
Description
openedon Aug 29, 2023
Describe the bug
azure-cli 2.51.0
I'm attempting to use az ssh vm
from my Windows PC to a Linux VM in Azure.
Here's what I'm getting.
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
Bad permissions. Try removing permissions for user: BUILTIN\\Users (S-1-5-32-545) on file C:/Users/REDACTED/AppData/Local/Temp/aadsshcert9tfesyxc/id_rsa.pub-aadcert.pub.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcert9tfesyxc\\id_rsa.pub-aadcert.pub' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcert9tfesyxc\\id_rsa.pub-aadcert.pub": bad permissions
With the file Explorer open, I can see the folder aadsshcert9tfesyxc
created on the fly, then deleted.
So it appears to me that the az cli is creating a folder in which to place some keys, then rejecting its use because it doesn't like the permissions of the folder it just made.
Related command
az ssh vm --ip a.b.c.d
Errors
The command failed as stated above.
Issue script & Debug output
cli.knack.cli: Command arguments: ['ssh', 'vm', '--ip', 'IP_REDACTED', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x02D8B610>, <function OutputProducer.on_global_arguments at 0x02E8D850>, <function CLIQuery.on_global_arguments at 0x02EA14A8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ssh': ['azext_ssh']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: ssh 0.085 1 4 C:\Users\REDACTED\.azure\cliextensions\ssh
cli.azure.cli.core: Total (1) 0.085 1 4
cli.azure.cli.core: Loaded 1 groups, 4 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : ssh vm
cli.azure.cli.core: Command table: ssh vm
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0504C778>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\REDACTED\.azure\commands\2023-08-29.10-40-11.ssh_vm.29752.log'.
az_command_data_logger: command args: ssh vm --ip {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x050748E0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x05082850>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x05082A48>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x02E8D898>, <function CLIQuery.handle_query_parameter at 0x02EA14F0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x05082A00>]
az_command_data_logger: extension name: ssh
az_command_data_logger: extension version: 2.0.1
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ComputeManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\REDACTED\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\REDACTED\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/IP_REDACTED/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/IP_REDACTED/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azext_ssh.ssh_utils: Platform architecture: 32bit
cli.azext_ssh.ssh_utils: OS architecture: 64bit
cli.azext_ssh.ssh_utils: System Root: C:\WINDOWS
cli.azext_ssh.ssh_utils: Attempting to run ssh-keygen from path C:\WINDOWS\SysNative\openSSH\ssh-keygen.exe
cli.azext_ssh.ssh_utils: Running ssh-keygen command C:\WINDOWS\SysNative\openSSH\ssh-keygen.exe -f C:\Users\REDACTED\AppData\Local\Temp\aadsshcertmetiidwb\id_rsa -t rsa -q -N
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/IP_REDACTED/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/IP_REDACTED/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: REDACTED
msal.broker: [MSAL:0001] INFO LogTelemetryData:332 Printing Telemetry for Correlation ID: ba296722-b559-485d-ac1d-e8e0ecd006b7
msal.broker: [MSAL:0001] INFO LogTelemetryData:340 Key: start_time, Value: 2023-08-29T15:40:11.000Z
msal.broker: [MSAL:0001] INFO LogTelemetryData:340 Key: api_name, Value: ReadAccountById
msal.broker: [MSAL:0001] INFO LogTelemetryData:340 Key: was_request_throttled, Value: false
msal.broker: [MSAL:0001] INFO LogTelemetryData:340 Key: request_duration, Value: 0
msal.broker: [MSAL:0001] INFO LogTelemetryData:340 Key: authority_type, Value: Unknown
msal.broker: [MSAL:0001] INFO LogTelemetryData:340 Key: msal_version, Value: 1.1.0+local
msal.broker: [MSAL:0001] INFO LogTelemetryData:340 Key: correlation_id, Value: ba296722-b559-485d-ac1d-e8e0ecd006b7
msal.broker: [MSAL:0001] INFO LogTelemetryData:340 Key: stop_time, Value: 2023-08-29T15:40:11.000Z
msal.broker: [MSAL:0001] INFO LogTelemetryData:340 Key: msalruntime_version, Value: 0.13.9
msal.broker: [MSAL:0001] INFO LogTelemetryData:340 Key: is_successful, Value: true
msal.broker: [MSAL:0002] INFO SetCorrelationId:220 Set correlation ID: ba296722-b559-485d-ac1d-e8e0ecd006b7
msal.broker: [MSAL:0002] INFO EnqueueBackgroundRequest:677 The original authority is 'https://login.microsoftonline.com/IP_REDACTED'
msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:182 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:182 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:182 Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
msal.broker: [MSAL:0002] INFO ModifyAndValidateAuthParameters:199 Authority Realm: IP_REDACTED
msal.broker: [MSAL:0003] INFO LogTelemetryData:332 Printing Telemetry for Correlation ID: ba296722-b559-485d-ac1d-e8e0ecd006b7
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: start_time, Value: 2023-08-29T15:40:11.000Z
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: api_name, Value: AcquireTokenSilently
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: was_request_throttled, Value: false
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: request_duration, Value: 3
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: authority_type, Value: AAD
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: access_token_expiry_time, Value: 2023-08-29T15:54:44.000Z
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: read_token, Value: ID|AT|FRT
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: msal_version, Value: 1.1.0+local
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: client_id, Value: REDACTED
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: correlation_id, Value: ba296722-b559-485d-ac1d-e8e0ecd006b7
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: stop_time, Value: 2023-08-29T15:40:11.000Z
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: msalruntime_version, Value: 0.13.9
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: original_authority, Value: https://login.microsoftonline.com/IP_REDACTED
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: request_eligible_for_broker, Value: true
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: broker_app_used, Value: false
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: additional_query_parameters_count, Value: 3
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: auth_flow, Value: AT
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: is_successful, Value: true
msal.broker: [MSAL:0003] INFO LogTelemetryData:340 Key: authorization_type, Value: WindowsIntegratedAuth
msal.broker: [MSAL:0003] INFO LogTelemetryData:345 Printing Execution Flow:
msal.broker: [MSAL:0003] INFO LogTelemetryData:353 {"t":"8b2yn","tid":3,"ts":0,"l":2},{"t":"8dqkx","tid":3,"ts":1,"l":2},{"t":"8dqik","tid":3,"ts":1,"l":2},{"t":"8b2ht","tid":3,"ts":1,"l":2},{"t":"7e60d","tid":3,"ts":1,"l":2,"a":2,"ie":0},{"t":"7e60e","tid":3,"ts":1,"l":2,"a":2,"ie":1},{"t":"8dqin","tid":3,"ts":1,"l":2},{"t":"7e60f","tid":3,"ts":1,"l":2,"a":2,"ie":0},{"t":"7e60g","tid":3,"ts":2,"l":2,"a":2,"ie":1},{"t":"7e60h","tid":3,"ts":2,"l":2,"a":2,"ie":0},{"t":"7e60i","tid":3,"ts":3,"l":2,"a":2,"ie":1},{"t":"8dqit","tid":3,"ts":3,"l":2},{"t":"6xuag","tid":3,"ts":3,"l":2}
msal.token_cache: event={
"_account_id": "70eb022a-50f6-411d-8920-abcdc79bac01",
"client_id": "REDACTED",
"data": {
"key_id": "7ccbfc478e65e3d8958b363ab7ed0ecfe345b238fbaef48ae1a5a09685a87b9a",
"req_cnf": REDACTED
"token_type": "ssh-cert"
},
"response": {
"_account_id": "70eb022a-50f6-411d-8920-abcdc79bac01",
"_msalruntime_telemetry": {
"access_token_expiry_time": "2023-08-29T15:54:44.000Z",
"additional_query_parameters_count": "3",
"api_name": "AcquireTokenSilently",
"auth_flow": "AT",
"authority_type": "AAD",
"authorization_type": "WindowsIntegratedAuth",
"broker_app_used": "false",
"client_id": "REDACTED",
"correlation_id": "ba296722-b559-485d-ac1d-e8e0ecd006b7",
"is_successful": "true",
"msal_version": "1.1.0+local",
"msalruntime_version": "0.13.9",
"original_authority": "https://login.microsoftonline.com/IP_REDACTED",
"read_token": "ID|AT|FRT",
"request_duration": "3",
"request_eligible_for_broker": "true",
"start_time": "2023-08-29T15:40:11.000Z",
"stop_time": "2023-08-29T15:40:11.000Z",
"was_request_throttled": "false"
},
"access_token": "********",
"client_info": "REDACTED",
"expires_in": 873,
"id_token": "********",
"id_token_claims": "********",
"scope": "https://pas.windows.net/CheckMyAccess/Linux/user_impersonation https://pas.windows.net/CheckMyAccess/Linux/.default",
"token_type": "ssh-cert"
},
"scope": [
"https://pas.windows.net/CheckMyAccess/Linux/user_impersonation",
"https://pas.windows.net/CheckMyAccess/Linux/.default"
],
"token_endpoint": "https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/token"
}
cli.azext_ssh.custom: Generating certificate C:\Users\REDACTED\AppData\Local\Temp\aadsshcertmetiidwb\id_rsa.pub-aadcert.pub
cli.azext_ssh.ssh_utils: Platform architecture: 32bit
cli.azext_ssh.ssh_utils: OS architecture: 64bit
cli.azext_ssh.ssh_utils: System Root: C:\WINDOWS
cli.azext_ssh.ssh_utils: Attempting to run ssh-keygen from path C:\WINDOWS\SysNative\openSSH\ssh-keygen.exe
cli.azext_ssh.ssh_utils: Running ssh-keygen command C:\WINDOWS\SysNative\openSSH\ssh-keygen.exe -L -f C:\Users\REDACTED\AppData\Local\Temp\aadsshcertmetiidwb\id_rsa.pub-aadcert.pub
cli.azext_ssh.ssh_utils: Platform architecture: 32bit
cli.azext_ssh.ssh_utils: OS architecture: 64bit
cli.azext_ssh.ssh_utils: System Root: C:\WINDOWS
cli.azext_ssh.ssh_utils: Attempting to run ssh from path C:\WINDOWS\SysNative\openSSH\ssh.exe
cli.azext_ssh.ssh_utils: Running ssh command C:\WINDOWS\SysNative\openSSH\ssh.exe IP_REDACTED -l REDACTED@REDACTED.com -i C:\Users\REDACTED\AppData\Local\Temp\aadsshcertmetiidwb\id_rsa -o CertificateFile="C:\Users\REDACTED\AppData\Local\Temp\aadsshcertmetiidwb\id_rsa.pub-aadcert.pub" -vvv
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
debug3: Failed to open file:C:/Users/REDACTED/.ssh/config error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname IP_REDACTED is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> 'C:\\Users\\REDACTED/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> 'C:\\Users\\REDACTED/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to IP_REDACTED [IP_REDACTED] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa type 0
debug1: certificate file C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.3
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to IP_REDACTED:22 as 'REDACTED@REDACTED.com'
debug3: record_hostkey: found key type ED25519 in file C:\\Users\\REDACTED/.ssh/known_hosts:10
debug3: load_hostkeys_file: loaded 1 keys from IP_REDACTED
debug3: Failed to open file:C:/Users/REDACTED/.ssh/known_hosts2 error:2
debug1: load_hostkeys: fopen C:\\Users\\REDACTED/.ssh/known_hosts2: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:yKjAyCzYG4en7DTLFoM6WTLB5uD2SQIH5xKyxgZVovI
debug3: record_hostkey: found key type ED25519 in file C:\\Users\\REDACTED/.ssh/known_hosts:10
debug3: load_hostkeys_file: loaded 1 keys from IP_REDACTED
debug3: Failed to open file:C:/Users/REDACTED/.ssh/known_hosts2 error:2
debug1: load_hostkeys: fopen C:\\Users\\REDACTED/.ssh/known_hosts2: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'IP_REDACTED' is known and matches the ED25519 host key.
debug1: Found key in C:\\Users\\REDACTED/.ssh/known_hosts:10
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug3: unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2
debug1: pubkey_prepare: ssh_get_authentication_socket: The socket is not connected
debug1: Will attempt key: C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub RSA-CERT SHA256:UmRf0jUjqZ54mzymzE6ycD5pcZ9RxqWJC7NmKUhpVJw explicit
debug1: Will attempt key: C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa RSA SHA256:AylRujWq33jgUT4gERrhUT7FNVN2S2DJKXbT+oqTj8A explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised)
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub RSA-CERT SHA256:UmRf0jUjqZ54mzymzE6ycD5pcZ9RxqWJC7NmKUhpVJw explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub RSA-CERT SHA256:UmRf0jUjqZ54mzymzE6ycD5pcZ9RxqWJC7NmKUhpVJw explicit
debug3: sign_and_send_pubkey: RSA-CERT SHA256:UmRf0jUjqZ54mzymzE6ycD5pcZ9RxqWJC7NmKUhpVJw
debug1: sign_and_send_pubkey: no separate private key for certificate "C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub"
debug3: sign_and_send_pubkey: signing using rsa-sha2-512-cert-v01@openssh.com SHA256:UmRf0jUjqZ54mzymzE6ycD5pcZ9RxqWJC7NmKUhpVJw
Bad permissions. Try removing permissions for user: BUILTIN\\Users (S-1-5-32-545) on file C:/Users/REDACTED/AppData/Local/Temp/aadsshcertmetiidwb/id_rsa.pub-aadcert.pub.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub": bad permissions
debug1: Offering public key: C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa RSA SHA256:AylRujWq33jgUT4gERrhUT7FNVN2S2DJKXbT+oqTj8A explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
REDACTED@REDACTED.com@IP_REDACTED: Permission denied (publickey).
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x05071FA0>, <function _x509_from_base64_to_hex_transform at 0x05074028>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0504C898>]
az_command_data_logger: exit code: 0
cli.__main__: Command ran in 4.077 seconds (init: 0.227, invoke: 3.850)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4750 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\REDACTED\.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
Expected behavior
I should be able to login with SSH and my AAD SSO.
Environment Summary
azure-cli 2.51.0
core 2.51.0
telemetry 1.1.0
Extensions:
ssh 2.0.1
Dependencies:
msal 1.24.0b1
azure-mgmt-resource 23.1.0b2
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\lsilverman\.azure\cliextensions'
Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
Nothing else
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment