This is the second in a series of posts about the options available to you to manage your Linux VMs in Azure using Azure Key Vault and how you can adapt this process in a YAML Pipeline. The other posts in this Series can be found below.
Day 68 - Managing Access to Linux VMs using Azure Key Vault - Part 1
Day 69 - Managing Access to Linux VMs using Azure Key Vault - Part 2
Day 70 - Managing Access to Linux VMs using Azure Key Vault - Part 3
NOTE: This article was tested and written for a Linux Host running Ubuntu 18.04 with Azure CLI installed.
In today's article we will cover the following topics.
Install sshpass
Retrieve the SSH Private Key from Key Vault
Retrieve the SSH Private Key Password from Key Vault
Login to the Linux VM using your SSH Key and Password
Things to Consider
Conclusion
SPONSOR: Need to stop and start your development VMs on a schedule? The Azure Resource Scheduler let's you schedule up to 10 Azure VMs for FREE! Learn more HERE
sshpass is a command line tool that allows you to provide a password for non-interactive-password authentication inside a bash prompt.
Run the following command to install sshpass.
sudo apt-get install -y sshpassYou should get back the following response.
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
sshpass
0 upgraded, 1 newly installed, 0 to remove and 58 not upgraded.
Need to get 10.5 kB of archives.
After this operation, 30.7 kB of additional disk space will be used.
Get:1 http://at.archive.ubuntu.com/ubuntu bionic/universe amd64 sshpass amd64 1.06-1 [10.5 kB]
Fetched 10.5 kB in 0s (78.7 kB/s)
Selecting previously unselected package sshpass.
(Reading database ... 182191 files and directories currently installed.)
Preparing to unpack .../sshpass_1.06-1_amd64.deb ...
Unpacking sshpass (1.06-1) ...
Setting up sshpass (1.06-1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...Run the following command to retrieve the SSH Private Key from the Key Vault and store it in /tmp.
SSH_PRIVATE_KEY=$(/usr/bin/az keyvault secret download \
--name "100-days-linux-vm" \
--vault-name "iac100dayslinuxkv" \
--file "/tmp/100-days-linux-vm" \
--output tsv 2>&1)Next, run the following command to change the permissions on the SSH Private Key to 0600.
chmod 0600 "/tmp/100-days-linux-vm"Run the following command to retrieve the SSH Private Key from the Key Vault and store it into the environment variable, SSHPASS.
export SSHPASS=$(/usr/bin/az keyvault secret show \
--name "100-days-linux-vm-password" \
--vault-name "iac100dayslinuxkv" \
--query value \
--output tsv 2>&1)Next, run the following command to login to the Linux VM via SSH
sshpass \
-P "pass" \
-e \
ssh \
-o "StrictHostKeyChecking=no" \
-o "UserKnownHostsFile=/dev/null" \
-i "/tmp/100-days-linux-vm" \
[email protected]You should get back the following response where you are then logged into the Linux VM in Azure.
Warning: Permanently added 'iac-100-linux-vm.westeurope.cloudapp.azure.com,40.115.61.255' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-1027-azure x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Dec 8 13:27:30 UTC 2019
System load: 0.02 Processes: 107
Usage of /: 4.1% of 28.90GB Users logged in: 0
Memory usage: 9% IP address for eth0: 10.0.0.4
Swap usage: 0%
* Overheard at KubeCon: "microk8s.status just blew my mind".
https://microk8s.io/docs/commands#microk8s.status
0 packages can be updated.
0 updates are security updates.
Last login: Sun Dec 8 13:25:39 2019 from 213.47.155.102
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
lxvmadmin@100dayslinuxvm:~$When you are finished, logout of the Linux VM and then run the command below to delete the Private Key from your Host.
rm -f "/tmp/100-days-linux-vm"Next, set the SSHPASS Environment Variable to a value of null.
export SSHPASS=""When using sshpass, you have the option to use -p option to directly pass in the password you want to use; however, the password will then appear in cleartext in ps output. This is why we used the -e option instead to store the SSH Private Key Password in the environment variable SSHPASS. Be aware, that this has its own security risks as well if the Linux Host you are working from is ever compromised.
While you are busy automating your processes for using the Private SSH Key to deploy and manage a Linux Host, make sure you are removing the Private Key from your automation Host and setting the SSHPASS environment variable to null before you finish your automation process.
In today's article in we deployed a Linux VM using the SSH Keys and Password from Azure Key Vault. If there's a specific scenario that you wish to be covered in future articles, please create a New Issue in the starkfell/100DaysOfIaC GitHub repository.