Add SSH key to an existing VM ?

[matti]

CLI Version: 0.10.2
Mode: ARM
Environment: AzureCloud

Description:
How to add SSH key to a VM?

[yugangw-msft]

checkout vm reset-access

[matti]

So only replace, no add?

[amarzavery]

@huangpf - Is there a plan to support adding more ssh keys to a vm?

[yugangw-msft]

it should support add

[huangpf]

I think this is a duplicate of #3199

[squillace]

+1: long thread discussing the fact that you think vmaccess command will do this, but instead assumes adding keys to the same user means replace that user's key, which it does not. We need the command to enable ADDING KEYS to any existing user. There are several legitimate scenarios in which users have more than one acceptable key.

[matti]

@huanpf I don't this is a duplicate of that?

[mayurshintre]

@huangpf @squillace - #3199 is for adding a secret, not a SSH Key. Is this still a duplicate then?

[squillace]

@mayurshintre

1. As I do not know the functional behavior of the specified PS call, I cannot say whether this is a dupe.
2. This issue is specific: Adding multiple keys with a single user name is a common Linux scenario. Current behavior destroys the user and recreates it with a new key. This surprised many customers, and it isn't what was expected in any way.

[huangpf]

Add-AzureRmVMSecret is just adding the key reference into the VM's OS profile, nothing more than that. So, I think it's a duplicate. azure vm reset-access for Linux VM is not owned by Compute team, and it's by the Azure Linux team who manages the reset-access extension. Please contact them if you need another fix there. Close this one for now. Please refer to: #3199

[matti]

oh microsoft.

[huangpf]

@matti The issue is still being tracked. I'm just closing the duplicate one. Thanks.

[squillace]

@haungpf: I just saw this as the other one was closed. THAT issue adds a cert to the osprofile -- great.

HOWEVER, this issue is not a CRP issue, nor is it a reset-access issue, it is an azure-xplat-cli issue: I want reset-access FIXED to do the right thing. I do not care who does the engineering internally; where in the world would I file THAT issue if I were outside the firewall?

at the least an appropriate response would be to leave this issue open, as I've reopened it, and connect it with a new issue (Azure/azure-linux-extensions#295). Now you're free to reclose this, but from the customers' point of view this is a CLI problem -- a microsoft problem. We need to figure out how to achieve the solution somehow.

[huangpf]

The title and your summary seem to be ambiguous, so that's misleading to what's the right resolution.

CRP API does allow users to install secret resources (i.e. keys) in the cloud to the VM, but users would need to first figure out how to put those resources in the cloud (i.e. using KeyVault APIs). If the problem is about the latter part, it's a general CLI problem, or KeyVault's.

Adding a key to the VM is not equivalent to resetting the access. azure vm reset-access is a hack in doing so, adding more confusion here. This should be discussed separately.

[huangpf]

@amarzavery please help take a look from overall CLI's point of view. I'm adding more tags to this issue, as it needs multiple-party's triage.

[squillace]

@huangpf happy to help clarify, and @vlivech to keep me sane. The title "Add SSH key to an existing VM" is about using the azure vm reset-access command to add a NEW public key file to a currently existing VM. Not the osprofile. Not keyvault. to the running VM, in the authorized_users directory for username.

Typically this would be over SSH, or ssh-copy-id -i ~/.ssh/id_rsa.pub ahmet@myserver. But if you have rights to the VM but not the original key, you want to use azure vm reset-access to do so. It is in fact documented as a standalone ability:

help:      -M, --ssh-key-file <ssh-key-file>      path to public key PEM file or SSH Public key file for SSH authentication (valid only when os-type is "Linux")

of course, it doesn't say what ELSE should happen here in order to ADD the key I provide to the currently running VM I'm targeting. But the result needs to be that if I specify a user that already exists, and there's a key already there, this one needs to be added to the directory.

You'll note that in Azure/azure-linux-extensions#295, @boumenot believes that using azure vm set-extensions it works properly -- he'll look, of course -- but if he's right, then reset-access is broken.

It's one or the other, OR: I'm totally wrong about the behavior. I will always concede that I've done something wrong, but three people on my team confirmed this behavior, so a bunch of us are misunderstanding how this is supposed to work. In which case, something else completely is wrong. :-)

[e30chris]

@squillace you are indeed sane.

I own a VM and have root perms to it. I then lose, rm -rf ~/.ssh/azure_id_rsa my private key by accident and since I am a good SysAdmin following the SysAdmin bible, I have disabled SSH Password logins. I need azure vm reset-access to connect to the VM for me and add a public key file to the ~/.ssh/authorized_keys file. I would do this myself using ssh-copy-id but I lost the private key and passwords are disabled. If I cannot use azure vm reset-access then the VM is perma locked and must be killed.

TLDR; azure vm reset-access is a emergency only method to connect to a Linux VM I have rights to, and add in a SSH public key to ~/.ssh/authorized_keys. Add meaning cat >> ~/.ssh/authorized_keys which adds the public key to the end of the file while not touching any other keys in the file.

[huangpf]

The problem needs to be well defined in order to find the most accurate solution. What you describe is about the linux VM extension reset-access and its supportive commands. If that's what you need, please let the repo admin to route you to the Azure Linux team for triage & fix.

reset-access command is a specialized extension command, and set-extensions is a generic one that works for all extensions. It's likely that specialized commands may have some stale code that block the new scenarios, while the generic ones are always usable for all. If you can find PS/CLI2 or any client side tools that work for that use case using the extension APIs, capture the request/response payloads and compare to here to see what's wrong. But again, this is not owned or known by Compute team about how to solve. I'm making my suggestions for you to find the best owner and solution.

Like you said, it's not a CRP issue, so I'm going to remove the IaaS tag, and let you focus on the extension part.

IMO, title needs to reflect the extension focused asks.

[squillace]

Yes, this is about the behavior of azure vm reset-access. I am filling the issue against the CLI. Please route as is appropriate.

[cicorias]

FYI the behavior of reset access with SSH keys actually "adds" the key to the authorized keys, not replace
MicrosoftDocs/azure-docs#6044

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/vmaccess#update-ssh-key