Azure network bastion ssh and AAD - bad permissions

[dazinator]

Describe the bug

1. I am using az network bastion ssh with auth-type AAD, connecting into an ubuntu VM with the Microsoft.Azure.ActiveDirectory.AADSSHLoginForLinux extension.

2. I created a service princpal, and gave it enough permissions to login as regular user

az ad sp create-for-rbac --name <your-service-principal-name> --skip-assignment
az role assignment create --assignee <appId> --role "Reader" --scope /subscriptions/{SubId}/resourceGroups/{ResourceGroupName}/providers/Microsoft.Network/bastionHosts/{BastionName}
az role assignment create --assignee <appId> --role "Virtual Machine User Login" --scope /subscriptions/{SubId}/resourceGroups/{ResourceGroupName}

3. Tested access

az login --service-principal -u <appId> -p <client-secret> --tenant <tenant-id>
az network bastion ssh --name <BastionName> --resource-group <ResourceGroup> --target-resource-id <VMResourceId> --auth-type AAD

Worked fine.

Then tried a sudo command within this ssh session, which due to AAD integration, wants to put you through device code flow auth. I want my ssh script to work unattended. I realised I can't use sudo, and instead need to grant the service prinicpal Virtual Machine Administrator Login role.

4. End the SSH session, logout, log back in as me, and grant that service principal Virtual Machine Administrator Login

az logout
az login
az role assignment create --assignee <appId> --role "Virtual Machine Administrator Login" --scope /subscriptions/{SubId}/resourceGroups/{ResourceGroupName}

5. Re-login as the service principal

az logout
az login --service-principal -u <appId> -p <client-secret> --tenant <tenant-id>

6. Try the ssh again

az network bastion ssh --name <BastionName> --resource-group <ResourceGroup> --target-resource-id <VMResourceId> --auth-type AAD

At this point it fails

Command group 'az network' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
C:\Users\FOO1\AppData\Local\Temp\aadsshcertpoyz1jx9 contains sensitive information (id_rsa, id_rsa.pub). Please delete once this certificate is no longer being used.
Generated SSH certificate C:\Users\FOO1\AppData\Local\Temp\aadsshcertpoyz1jx9\id_rsa.pub-aadcert.pub is valid until 2024-06-13 16:19:48 in local time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\Users\FOO1\AppData\Local\Temp\aadsshcertpoyz1jx9\id_rsa.pub-aadcert.pub' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\Users\FOO1\AppData\Local\Temp\aadsshcertpoyz1jx9\id_rsa.pub-aadcert.pub": bad permissions
11111111-1c9a-4c8f-90f6-17bb2da0a477@localhost: Permission denied (publickey).

If I delete the temp folder and run it again, it creates a new temp folder but outputs the same message about is valid until 2024-06-13 16:19:48 in local time.

My assumption is that:-

1. If you change the roles / permitted to a service principal
2. and you already have a cert issue for a set duration (managed by AAD)
3. the cert is somehow invalidated for use bad permissions but a new cert is not being generated during this time period.

Related command

az network bastion ssh --name --resource-group --target-resource-id --auth-type AAD

Errors

Command group 'az network' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
C:\Users\FOO1\AppData\Local\Temp\aadsshcertpoyz1jx9 contains sensitive information (id_rsa, id_rsa.pub). Please delete once this certificate is no longer being used.
Generated SSH certificate C:\Users\FOO1\AppData\Local\Temp\aadsshcertpoyz1jx9\id_rsa.pub-aadcert.pub is valid until 2024-06-13 16:19:48 in local time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\Users\FOO1\AppData\Local\Temp\aadsshcertpoyz1jx9\id_rsa.pub-aadcert.pub' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\Users\FOO1\AppData\Local\Temp\aadsshcertpoyz1jx9\id_rsa.pub-aadcert.pub": bad permissions
11111111-1c9a-4c8f-90f6-17bb2da0a477@localhost: Permission denied (publickey).

Issue script & Debug output

cli.knack.cli: Command arguments: ['network', 'bastion', 'ssh', '--name', 'bas-foo-dev-we-01', '--resource-group', 'rg-env-dev-we-01', '--target-resource-id', '/subscriptions/11111111-2222-3333-4444-72d7f292c6b4/resourceGroups/rg-env-dev-we-01/providers/Microsoft.Compute/virtualMachines/vm-foo-dev-we-01', '--auth-type', 'AAD', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x000002B2611EB880>, <function OutputProducer.on_global_arguments at 0x000002B261376020>, <function CLIQuery.on_global_arguments at 0x000002B2613A3BA0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'network': ['azure.cli.command_modules.network', 'azure.cli.command_modules.privatedns', 'azext_bastion']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: network 0.383 115 454
cli.azure.cli.core: privatedns 0.022 14 60
cli.azure.cli.core: Total (2) 0.405 129 514
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: bastion 0.011 2 9 C:\Users\Foo Work.azure\cliextensions\bastion
cli.azure.cli.core: Total (1) 0.011 2 9
cli.azure.cli.core: Loaded 129 groups, 523 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : network bastion ssh
cli.azure.cli.core: Command table: network bastion ssh
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x000002B2642CA020>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\Foo Work.azure\commands\2024-06-13.16-07-47.network_bastion_ssh.38188.log'.
az_command_data_logger: command args: network bastion ssh --name {} --resource-group {} --target-resource-id {} --auth-type {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x000002B264334540>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x000002B2643345E0>, <function register_cache_arguments..add_cache_arguments at 0x000002B264334720>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x000002B2613760C0>, <function CLIQuery.handle_query_parameter at 0x000002B2613A3C40>, <function register_ids_argument..parse_ids_arguments at 0x000002B264334680>]
az_command_data_logger: extension name: bastion
az_command_data_logger: extension version: 0.2.5
Command group 'az network' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\Foo Work\.azure\service_principal_entries.bin', encrypt=True
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\Foo Work\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\Foo Work.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f
msal.authority: openid_config("https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 9f7e2a5e-2230-4f7b-acca-c58ce4ae54d8
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/11111111-2222-3333-4444-72d7f292c6b4/resourceGroups/rg-env-dev-we-01/providers/Microsoft.Network/bastionHosts/bas-foo-dev-we-01?api-version=2022-01-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'b163db71-2996-11ef-95c4-106fd9766c7c'
cli.azure.cli.core.sdk.policies: 'CommandName': 'network bastion ssh'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --resource-group --target-resource-id --auth-type --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.60.0 (MSI) azsdk-python-core/1.28.0 Python/3.11.8 (Windows-10-10.0.22631-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/11111111-2222-3333-4444-72d7f292c6b4/resourceGroups/rg-env-dev-we-01/providers/Microsoft.Network/bastionHosts/bas-foo-dev-we-01?api-version=2022-01-01 HTTP/1.1" 200 1627
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '1627'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'ETag': 'W/"14f84a5d-3851-4077-820a-1dbb08dfd4a8"'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '43be98d1-7ec6-47fd-93e9-f39e562148a8'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '3f64e557-b46a-4c31-b8f0-f5a6d60542a2'
cli.azure.cli.core.sdk.policies: 'x-ms-arm-service-request-id': '428e96a1-9891-4a67-9496-53592d3238aa'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '249'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-reads': '3749'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'UKWEST:20240613T150750Z:3f64e557-b46a-4c31-b8f0-f5a6d60542a2'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: EEA32DA0C57E4233AF8EBF7AE468DE08 Ref B: AMS231032609035 Ref C: 2024-06-13T15:07:50Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 13 Jun 2024 15:07:50 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
"name": "bas-foo-dev-we-01",
"id": "/subscriptions/11111111-2222-3333-4444-72d7f292c6b4/resourceGroups/rg-env-dev-we-01/providers/Microsoft.Network/bastionHosts/bas-foo-dev-we-01",
"etag": "W/"14f84a5d-3851-4077-820a-1dbb08dfd4a8"",
"type": "Microsoft.Network/bastionHosts",
"location": "westeurope",
"properties": {
"provisioningState": "Succeeded",
"dnsName": "bst-5af14ead-0fcb-47c2-8f4c-4b0ac5d6ae60.bastion.azure.com",
"scaleUnits": 2,
"enableTunneling": true,
"enableFileCopy": true,
"disableCopyPaste": false,
"ipConfigurations": [
{
"name": "IpConf",
"id": "/subscriptions/11111111-2222-3333-4444-72d7f292c6b4/resourceGroups/rg-env-dev-we-01/providers/Microsoft.Network/bastionHosts/bas-foo-dev-we-01/bastionHostIpConfigurations/IpConf",
"etag": "W/"14f84a5d-3851-4077-820a-1dbb08dfd4a8"",
"type": "Microsoft.Network/bastionHosts/bastionHostIpConfigurations",
"properties": {
"provisioningState": "Succeeded",
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "/subscriptions/11111111-2222-3333-4444-72d7f292c6b4/resourceGroups/rg-env-dev-we-01/providers/Microsoft.Network/publicIPAddresses/pip-foo-bas-dev-we-01"
},
"subnet": {
"id": "/subscriptions/11111111-2222-3333-4444-72d7f292c6b4/resourceGroups/rg-env-dev-we-01/providers/Microsoft.Network/virtualNetworks/vnet-foo-dev-we-01/subnets/AzureBastionSubnet"
}
}
}
]
},
"sku": {
"name": "Standard"
}
}
cli.azext_bastion.tunnel: Creating a socket on port: 0
cli.azext_bastion.tunnel: Setting socket options
cli.azext_bastion.tunnel: Binding to socket on local address and port
cli.azext_bastion.tunnel: Auto-selecting port: 52343
cli.azext_bastion.tunnel: Finished initialization
cli.azext_ssh.ssh_utils: Platform architecture: 64bit
cli.azext_ssh.ssh_utils: OS architecture: 64bit
cli.azext_ssh.ssh_utils: System Root: C:\WINDOWS
cli.azext_ssh.ssh_utils: Attempting to run ssh-keygen from path C:\WINDOWS\System32\openSSH\ssh-keygen.exe
cli.azext_ssh.ssh_utils: Running ssh-keygen command C:\WINDOWS\System32\openSSH\ssh-keygen.exe -f C:\Users\FOOOOO1\AppData\Local\Temp\aadsshcertw4bs5vnx\id_rsa -t rsa -q -N
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f
msal.authority: openid_config("https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://pas.windows.net/CheckMyAccess/Linux/.default',), kwargs={'data': {'token_type': 'ssh-cert', 'req_cnf': '{"kty": "RSA", "n": "ANWLz9J-JyFd77mipOK1Xn42RsXHWa6JNnFq7RIzfAo2mCoFnC5WQmUOZ1Pj11x49QF1cZQ0-M6VmBHbWhm0snnFHhTygpf-MXEYbS9G3BnTuEm_eiTZK692lXXjjX_u4MwG1y5d2AfvUlqt3Sa3XFzG_wkIFvI8XJf5MMEPraWaZUYDspXjk6gZpsMpCQ9piZ9xG_7i4u4kq7Yfy_o1YA2N2-fs-h-2bSC3GkzbaSC48qQJ2Um31GPaTsSPFmYVjsU0zByC5FkmSPudw5SsFL3bUUxYvNronPyC8uiqxgk5ae0JwPzqtjUYuZJW1HktIt2g-HC16BlCCCNP3hJTWGuc62clQs7pVk6OE0hpAuJYDHlkwoBTUBI4S5Ci9mQ_5jlNicfGOMMZIPUWv32EG9dXLqjFLiKR4cAc9O3qBsTeB5v0k6TgJ9Hp1OuqN9XYwBN6vGiuwO77YQLKllRqvlVpleSkjpwrnnSvH302hIGvRABlrGPuSoxuuXEh_CYnhQ==", "e": "AQAB", "kid": "cc76e7746e5363ef647d41aaa1e789df107a4d98590cef20a5ac9b06b45809a8"}', 'key_id': 'cc76e7746e5363ef647d41aaa1e789df107a4d98590cef20a5ac9b06b45809a8'}}
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://pas.windows.net/CheckMyAccess/Linux/.default',), kwargs={'data': {'token_type': 'ssh-cert', 'req_cnf': '{"kty": "RSA", "n": "ANWLz9J-JyFd77mipOK1Xn42RsXHWa6JNnFq7RIzfAo2mCoFnC5WQmUOZ1Pj11x49QF1cZQ0-M6VmBHbWhm0snnFHhTygpf-MXEYbS9G3BnTuEm_eiTZK692lXXjjX_u4MwG1y5d2AfvUlqt3Sa3XFzG_wkIFvI8XJf5MMEPraWaZUYDspXjk6gZpsMpCQ9piZ9xG_7i4u4kq7Yfy_o1YA2N2-fs-h-2bSC3GkzbaSC48qQJ2Um31GPaTsSPFmYVjsU0zByC5FkmSPudw5SsFL3bUUxYvNronPyC8uiqxgk5ae0JwPzqtjUYuZJW1HktIt2g-HC16BlCCCNP3hJTWGuc62clQs7pVk6OE0hpAuJYDHlkwoBTUBI4S5Ci9mQ_5jlNicfGOMMZIPUWv32EG9dXLqjFLiKR4cAc9O3qBsTeB5v0k6TgJ9Hp1OuqN9XYwBN6vGiuwO77YQLKllRqvlVpleSkjpwrnnSvH302hIGvRABlrGPuSoxuuXEh_CYnhQ==", "e": "AQAB", "kid": "cc76e7746e5363ef647d41aaa1e789df107a4d98590cef20a5ac9b06b45809a8"}', 'key_id': 'cc76e7746e5363ef647d41aaa1e789df107a4d98590cef20a5ac9b06b45809a8'}}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: c3c9d1ef-8fe4-44bd-9372-78d321d5d5a2
cli.azext_ssh.custom: Generating certificate C:\Users\FOOOOO1\AppData\Local\Temp\aadsshcertw4bs5vnx\id_rsa.pub-aadcert.pub
cli.azext_ssh.ssh_utils: Platform architecture: 64bit
cli.azext_ssh.ssh_utils: OS architecture: 64bit
cli.azext_ssh.ssh_utils: System Root: C:\WINDOWS
cli.azext_ssh.ssh_utils: Attempting to run ssh-keygen from path C:\WINDOWS\System32\openSSH\ssh-keygen.exe
cli.azext_ssh.ssh_utils: Running ssh-keygen command C:\WINDOWS\System32\openSSH\ssh-keygen.exe -L -f C:\Users\FOOOOO1\AppData\Local\Temp\aadsshcertw4bs5vnx\id_rsa.pub-aadcert.pub
cli.azext_ssh.custom: C:\Users\FOOOOO1\AppData\Local\Temp\aadsshcertw4bs5vnx contains sensitive information (id_rsa, id_rsa.pub). Please delete once this certificate is no longer being used.
cli.azext_ssh.ssh_utils: Platform architecture: 64bit
cli.azext_ssh.ssh_utils: OS architecture: 64bit
cli.azext_ssh.ssh_utils: System Root: C:\WINDOWS
cli.azext_ssh.ssh_utils: Attempting to run ssh-keygen from path C:\WINDOWS\System32\openSSH\ssh-keygen.exe
cli.azext_ssh.ssh_utils: Running ssh-keygen command C:\WINDOWS\System32\openSSH\ssh-keygen.exe -L -f C:\Users\FOOOOO1\AppData\Local\Temp\aadsshcertw4bs5vnx\id_rsa.pub-aadcert.pub
Generated SSH certificate C:\Users\FOOOOO1\AppData\Local\Temp\aadsshcertw4bs5vnx\id_rsa.pub-aadcert.pub is valid until 2024-06-13 16:19:48 in local time.
cli.azext_ssh.ssh_utils: Platform architecture: 64bit
cli.azext_ssh.ssh_utils: OS architecture: 64bit
cli.azext_ssh.ssh_utils: System Root: C:\WINDOWS
cli.azext_ssh.ssh_utils: Attempting to run ssh-keygen from path C:\WINDOWS\System32\openSSH\ssh-keygen.exe
cli.azext_ssh.ssh_utils: Running ssh-keygen command C:\WINDOWS\System32\openSSH\ssh-keygen.exe -L -f C:\Users\FOOOOO1\AppData\Local\Temp\aadsshcertw4bs5vnx\id_rsa.pub-aadcert.pub
cli.azext_bastion.custom: Platform architecture: ('64bit', 'WindowsPE')
cli.azext_bastion.custom: System Root: C:\WINDOWS
cli.azext_bastion.custom: Attempting to run ssh from path C:\WINDOWS\System32\openSSH\ssh.exe
cli.azext_bastion.custom: Running ssh command C:\WINDOWS\System32\openSSH\ssh.exe 48867581-1c9a-4c8f-90f6-17bb2da0a477@localhost -i C:\Users\FOOOOO1\AppData\Local\Temp\aadsshcertw4bs5vnx\id_rsa -o CertificateFile=C:\Users\FOOOOO1\AppData\Local\Temp\aadsshcertw4bs5vnx\id_rsa.pub-aadcert.pub -p 52343 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=Error
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f
msal.authority: openid_config("https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/11111111-2222-3333-4444-dcb301a9f39f/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: d48ca4b6-59b4-4563-aa2d-88590eb30373
cli.azext_bastion.tunnel: Content: {'resourceId': '/subscriptions/11111111-2222-3333-4444-72d7f292c6b4/resourceGroups/rg-env-dev-we-01/providers/Microsoft.Compute/virtualMachines/vm-foo-dev-we-01', 'protocol': 'tcptunnel', 'workloadHostPort': 22, 'aztoken': 'redacted', 'token': None}
urllib3.connectionpool: Starting new HTTPS connection (1): bst-5af14ead-0fcb-47c2-8f4c-4b0ac5d6ae60.bastion.azure.com:443
urllib3.connectionpool: https://bst-5af14ead-0fcb-47c2-8f4c-4b0ac5d6ae60.bastion.azure.com:443 "POST /api/tokens HTTP/1.1" 200 None
cli.azext_bastion.tunnel: Websocket, connected status: True
cli.azext_bastion.tunnel: Got debugger connection... index: 1
cli.azext_bastion.tunnel: Waiting for debugger data, index: 1
cli.azext_bastion.tunnel: Received debugger data, nbytes: 33, index: 1
cli.azext_bastion.tunnel: Waiting for websocket data, connection status: True, index: 1
cli.azext_bastion.tunnel: Both debugger and websocket threads started...
cli.azext_bastion.tunnel: Sending to websocket, index: 1
cli.azext_bastion.tunnel: Successfully connected to local server..
cli.azext_bastion.tunnel: Done sending to websocket, index: 1
cli.azext_bastion.tunnel: Waiting for debugger data, index: 1
cli.azext_bastion.tunnel: Received websocket index: 1
cli.azext_bastion.tunnel: Sending to debugger, index: 1
cli.azext_bastion.tunnel: Done sending to debugger, index: 1
cli.azext_bastion.tunnel: Waiting for websocket data, connection status: True, index: 1
cli.azext_bastion.tunnel: Received debugger data, nbytes: 1512, index: 1
cli.azext_bastion.tunnel: Sending to websocket, index: 1
cli.azext_bastion.tunnel: Done sending to websocket, index: 1
cli.azext_bastion.tunnel: Waiting for debugger data, index: 1
cli.azext_bastion.tunnel: Received websocket index: 1
cli.azext_bastion.tunnel: Sending to debugger, index: 1
cli.azext_bastion.tunnel: Done sending to debugger, index: 1
cli.azext_bastion.tunnel: Waiting for websocket data, connection status: True, index: 1
cli.azext_bastion.tunnel: Received websocket index: 1
cli.azext_bastion.tunnel: Sending to debugger, index: 1
cli.azext_bastion.tunnel: Done sending to debugger, index: 1
cli.azext_bastion.tunnel: Waiting for websocket data, connection status: True, index: 1
cli.azext_bastion.tunnel: Received debugger data, nbytes: 48, index: 1
cli.azext_bastion.tunnel: Sending to websocket, index: 1
cli.azext_bastion.tunnel: Done sending to websocket, index: 1
cli.azext_bastion.tunnel: Waiting for debugger data, index: 1
cli.azext_bastion.tunnel: Received websocket index: 1
cli.azext_bastion.tunnel: Sending to debugger, index: 1
cli.azext_bastion.tunnel: Done sending to debugger, index: 1
cli.azext_bastion.tunnel: Waiting for websocket data, connection status: True, index: 1
cli.azext_bastion.tunnel: Received debugger data, nbytes: 16, index: 1
cli.azext_bastion.tunnel: Sending to websocket, index: 1
cli.azext_bastion.tunnel: Done sending to websocket, index: 1
cli.azext_bastion.tunnel: Waiting for debugger data, index: 1
cli.azext_bastion.tunnel: Received debugger data, nbytes: 44, index: 1
cli.azext_bastion.tunnel: Sending to websocket, index: 1
cli.azext_bastion.tunnel: Done sending to websocket, index: 1
cli.azext_bastion.tunnel: Waiting for debugger data, index: 1
cli.azext_bastion.tunnel: Received websocket index: 1
cli.azext_bastion.tunnel: Sending to debugger, index: 1
cli.azext_bastion.tunnel: Done sending to debugger, index: 1
cli.azext_bastion.tunnel: Received debugger data, nbytes: 92, index: 1
cli.azext_bastion.tunnel: Waiting for websocket data, connection status: True, index: 1
cli.azext_bastion.tunnel: Sending to websocket, index: 1
cli.azext_bastion.tunnel: Done sending to websocket, index: 1
cli.azext_bastion.tunnel: Waiting for debugger data, index: 1
cli.azext_bastion.tunnel: Received websocket index: 1
cli.azext_bastion.tunnel: Sending to debugger, index: 1
cli.azext_bastion.tunnel: Done sending to debugger, index: 1
cli.azext_bastion.tunnel: Waiting for websocket data, connection status: True, index: 1
cli.azext_bastion.tunnel: Received debugger data, nbytes: 1684, index: 1
cli.azext_bastion.tunnel: Sending to websocket, index: 1
cli.azext_bastion.tunnel: Done sending to websocket, index: 1
cli.azext_bastion.tunnel: Waiting for debugger data, index: 1
cli.azext_bastion.tunnel: Received websocket index: 1
cli.azext_bastion.tunnel: Sending to debugger, index: 1
cli.azext_bastion.tunnel: Done sending to debugger, index: 1
cli.azext_bastion.tunnel: Waiting for websocket data, connection status: True, index: 1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\Users\FOOOOO1\AppData\Local\Temp\aadsshcertw4bs5vnx\id_rsa.pub-aadcert.pub' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\Users\FOOOOO~1\AppData\Local\Temp\aadsshcertw4bs5vnx\id_rsa.pub-aadcert.pub": bad permissions
cli.azext_bastion.tunnel: Received debugger data, nbytes: 532, index: 1
cli.azext_bastion.tunnel: Sending to websocket, index: 1
cli.azext_bastion.tunnel: Done sending to websocket, index: 1
cli.azext_bastion.tunnel: Waiting for debugger data, index: 1
cli.azext_bastion.tunnel: Received websocket index: 1
cli.azext_bastion.tunnel: Sending to debugger, index: 1
cli.azext_bastion.tunnel: Done sending to debugger, index: 1
cli.azext_bastion.tunnel: Waiting for websocket data, connection status: True, index: 1
48867581-1c9a-4c8f-90f6-17bb2da0a477@localhost: Permission denied (publickey).
cli.azext_bastion.tunnel: [WinError 10054] An existing connection was forcibly closed by the remote host
cli.azext_bastion.tunnel: Client disconnected 1
cli.azext_bastion.tunnel: Cleaning up session
urllib3.connectionpool: Starting new HTTPS connection (1): bst-5af14ead-0fcb-47c2-8f4c-4b0ac5d6ae60.bastion.azure.com:443
cli.azext_bastion.tunnel: Received websocket index: 1
cli.azext_bastion.tunnel: Websocket close, index: 1
cli.azext_bastion.tunnel: Client disconnected!, index: 1
cli.azext_bastion.tunnel: Cleaning up session
urllib3.connectionpool: Starting new HTTPS connection (1): bst-5af14ead-0fcb-47c2-8f4c-4b0ac5d6ae60.bastion.azure.com:443
urllib3.connectionpool: https://bst-5af14ead-0fcb-47c2-8f4c-4b0ac5d6ae60.bastion.azure.com:443 "DELETE /api/tokens/D617994C39FB17B02D4D866BEA5891CB60523C32F0F5A8AD6BB77DC61231FB2A HTTP/1.1" 204 0
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x000002B2643096C0>, <function x509_from_base64_to_hex_transform at 0x000002B264309760>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x000002B2642CA2A0>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 6.027 seconds (init: 0.281, invoke: 5.746)
urllib3.connectionpool: https://bst-5af14ead-0fcb-47c2-8f4c-4b0ac5d6ae60.bastion.azure.com:443 "DELETE /api/tokens/D617994C39FB17B02D4D866BEA5891CB60523C32F0F5A8AD6BB77DC61231FB2A HTTP/1.1" 404 None
cli.azext_bastion.tunnel: Session already deleted
cli.azext_bastion.tunnel: Both debugger and websocket threads stopped...
cli.azext_bastion.tunnel: Stopped local server..
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3954 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users\Foo Work.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

SSH should succeed.

Environment Summary

azure-cli 2.60.0 *

core 2.60.0 *
telemetry 1.1.0

Extensions:
azure-devops 0.26.0
bastion 0.2.5
ssh 2.0.2

Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\Daz Work.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

You have 2 update(s) available. Consider updating your CLI installation with 'az upgrade'

Additional context

No response

[azure-client-tools-bot-prd]

Hi @dazinator,

2.60.0 is not the latest Azure CLI(2.61.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.