bastion-tunnel --subscription <subscription id> --group <resource group> --name <bastion name> --target-addr <remote vm ip> --target-port <remote vm port> --local-port <local listening port>
Traditional SSH client key-authenticatio requires a PRIVATE key at client side to establish connection to ssh server.
Nonetheless, sharing the private key poses a significant security risk. Even placing the key in a key vault as a secret does not mitigate this risk, as individuals might still retain a local copy of the key despite their access to the key vault being revoked.
Conversely, the bastion-tunnel approach allows the utilization of a non-exportable RSA key stored in the key vault to authenticate with the ssh server located behind the bastion. This implementation significantly enhances the security level of the bastion, further safeguarding sensitive access.
-
Azure Portal
-
Powershell
Add-AzKeyVaultKey -VaultName <keyvaultname> -Name <keyname> -Destination Software -KeyType RSA
NOTE: public key will be in stdout after your first run, you can add it to ssh server's ~/.ssh/authorized_keys
bastion-tunnel --subscription <subscription id> --group <resource group> --name <bastion name> --target-addr <remote vm ip> --run-ssh --ssh-user <sshusername> --ssh-keyvault-url "https://<keyvaultname>.vault.azure.net" --ssh-keyvault-keyname <key_generated>
You bastion must be Standard SKU and enable Native client support and IP-based connection