New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azure vm create: Cannot create a passwordless Linux VM #586

Closed
jeffwilcox opened this Issue Jun 10, 2013 · 3 comments

Comments

Projects
None yet
3 participants
@jeffwilcox
Member

jeffwilcox commented Jun 10, 2013

Similar to the portal, I'd like to improve the SSH security of my instance by using a private key, providing just the PEM cert with the -t <cert> parameter.

However I'm still being prompted for a password; the Azure portal makes the password optional.

If I try entering a blank password when prompted, the error I get is 'Missing the required primitive field 'UserPassword' in the role' so I'm not sure how the portal configures VMs that have none but it is possible!

Expected:
Able to provide just the PEM cert with -t mycert.pem and no prompt for password in this scenario.

See also, portal -
image

@ghost ghost assigned eduardkoller Jun 11, 2013

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jun 11, 2013

The underlying issue here is that our serialization logic inside the role model system will ignore empty strings from appearing in XML; however, in this specialized scenario, the REST endpoints will actually happily accept an empty password as long as it is included in an empty XML element in the request. This scenario is only for SSH scenarios where the DisableSshPasswordAuthentication element is provided and set to true. In standard password scenarios, an empty password will still be rejected by the server.

I've prototyped a working fix to unblock myself and these commits are available to review. Happy to clean up and try to pull into the product at some point but of course I did this with only manual testing (unblocking my work) vs writing unit tests et al.

Node SDK fix:

Updates the role schema parser to support a new IncludeIfEmpty metadata value which is only used in conjunction with the UserPassword value in the schema. Also updates the schema json file.

This fix must be taken for the CLI change to work or the CLI's new values for the password are ignored.

https://github.com/jeffwilcoxmsft/azure-sdk-for-node/commit/70d2556a69b94e8ceefd2e2041a7897b7de931e7

X-plat CLI change:

Adds a new --no-ssh-password (and -P) parameter to azure vm create for this scenario.

https://github.com/jeffwilcoxmsft/azure-sdk-tools-xplat/commit/bcf7aadb00dc7fcc6fff66aa8fa6e148ffae31e3

PM question / design:

What should the default be? In the portal, the default for Linux IaaS VMs right now is to check the box for SSH certificate use and ask for the upload, with the password box unchecked.

This would imply that a breaking change should be made to match the portal behavior whereby when you specify the SSH certificate PEM file in the command line, to automatically disable the password sending unless you opt in to providing a password.

My implementation provided above does not do the breaking change but instead has the passwordless option be opt-in. I'm not a fan but it is lower impact.

I believe no Linux VM should have a password set in the IaaS world per the standards other cloud environments tend to have in this space.

ghost commented Jun 11, 2013

The underlying issue here is that our serialization logic inside the role model system will ignore empty strings from appearing in XML; however, in this specialized scenario, the REST endpoints will actually happily accept an empty password as long as it is included in an empty XML element in the request. This scenario is only for SSH scenarios where the DisableSshPasswordAuthentication element is provided and set to true. In standard password scenarios, an empty password will still be rejected by the server.

I've prototyped a working fix to unblock myself and these commits are available to review. Happy to clean up and try to pull into the product at some point but of course I did this with only manual testing (unblocking my work) vs writing unit tests et al.

Node SDK fix:

Updates the role schema parser to support a new IncludeIfEmpty metadata value which is only used in conjunction with the UserPassword value in the schema. Also updates the schema json file.

This fix must be taken for the CLI change to work or the CLI's new values for the password are ignored.

https://github.com/jeffwilcoxmsft/azure-sdk-for-node/commit/70d2556a69b94e8ceefd2e2041a7897b7de931e7

X-plat CLI change:

Adds a new --no-ssh-password (and -P) parameter to azure vm create for this scenario.

https://github.com/jeffwilcoxmsft/azure-sdk-tools-xplat/commit/bcf7aadb00dc7fcc6fff66aa8fa6e148ffae31e3

PM question / design:

What should the default be? In the portal, the default for Linux IaaS VMs right now is to check the box for SSH certificate use and ask for the upload, with the password box unchecked.

This would imply that a breaking change should be made to match the portal behavior whereby when you specify the SSH certificate PEM file in the command line, to automatically disable the password sending unless you opt in to providing a password.

My implementation provided above does not do the breaking change but instead has the passwordless option be opt-in. I'm not a fan but it is lower impact.

I believe no Linux VM should have a password set in the IaaS world per the standards other cloud environments tend to have in this space.

@andrerod

This comment has been minimized.

Show comment
Hide comment
@andrerod

andrerod Aug 11, 2013

@jeffwilcoxmsft : You've done this right ? Can we close this issue ?

andrerod commented Aug 11, 2013

@jeffwilcoxmsft : You've done this right ? Can we close this issue ?

@jeffwilcox

This comment has been minimized.

Show comment
Hide comment
@jeffwilcox

jeffwilcox Aug 11, 2013

Member

Yes.

Member

jeffwilcox commented Aug 11, 2013

Yes.

@jeffwilcox jeffwilcox closed this Aug 11, 2013

amitapl pushed a commit to amitapl/azure-sdk-for-node that referenced this issue May 28, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment