azure-cli-extensions: az network bastion ssh + AAD fails with "WARNING: UNPROTECTED PRIVATE KEY FILE!"

Describe the bug

When using az network bastion ssh --auth-type AAD the SSL certificate is automatically added to /tmp/aadsshcert... but the file permissions are set such that OpenSSH 8.2 fails with

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/tmp/aadsshcert23cd5o7q/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

which means the connection cannot be established.

I know the bastion command delegates this work to the ssh extension, so this is probably more of an issue for the ssh extension authors to address.

Related command

az network bastion ssh --auth-type AAD

Errors

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/tmp/aadsshcert23cd5o7q/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

Issue script & Debug output

cli.azext_ssh.ssh_utils: Running ssh-keygen command ssh-keygen -f /tmp/aadsshcert23cd5o7q/id_rsa -t rsa -q -N 
...
cli.azext_bastion.custom: Running ssh command /usr/bin/ssh chkittel@microsoft.com@localhost -i /tmp/aadsshcert23cd5o7q/id_rsa -o CertificateFile=/tmp/aadsshcert23cd5o7q/id_rsa.pub-aadcert.pub -p 34457 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=Error

Expected behavior

The generated id_rsa file is set to permissions of 600.

As a bonus, I think it could even to set to 400 since this directory is transient by nature. The temp directory (aadsshcert23cd5o7q in this specific example above) could even be set to 700 as well for added security/intent hygiene.

Environment Summary

azure-cli                         2.49.0

core                              2.49.0
telemetry                          1.0.8

Extensions:
bastion                            0.2.4
resource-graph                     2.1.0
ssh                                1.1.6

Dependencies:
msal                              1.20.0
azure-mgmt-resource               22.0.0

Additional context

No response

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Reactions: 3
  • Comments: 18 (11 by maintainers)

Most upvoted comments

Thank you for opening this issue, we will look into it.

+2
yonzhan on Jun 14, 2023

Thank you for your patience. This problem is currently being investigated here https://github.com/Azure/azure-cli/issues/28417

I’m currently out of office, and will continue the investigation as soon as I arrive. As a temporary workaround, the users in the other issue reported that downgrading Azure CLI fixes the issue.

+1
vthiebaut10 on Dec 26, 2023

@vthiebaut10 can you take a look at this? This is likely a ssh extension issue as we can az ssh to generate the cert.

+1
aavalang on Dec 13, 2023

Any updates @yonzhan or @isamorris?

+1
ckittel on Dec 12, 2023

@isamorris

are there any updates?

+1
n0rthdev on Dec 5, 2023

@ckittel reviewing now

+1
isamorris on Jul 31, 2023

Non customer reported. Adding Service team to look into this.

+1
navba-MSFT on Jun 19, 2023
Read more comments on GitHub
← azure-cli-extensions: az network bastion rdp does not work for IP-based connection
azure-cli-extensions: costmanagement : Invalid definition type 'AmortizedCost'; valid values: 'Usage'. →