How can I get the SSH host key for a new Azure Linux VM created using PowerShell?

Question

If I create an Azure Linux VM using PowerShell, how can I get its new SSH host key, so that I can install it in my local ssh/PuTTY? Preferably the solution is also PowerShell code.

Answer 1

ssh-keygen \   #Command to create ssh keys
-m PEM \  #Key format
-t rsa \ #Type of key
-b 4096 \ #Bits
-C "azureuser" \ #comment
-f terraform-azure.pem # SSH key name

Answer 2

You can use a new "Run Command" feature of Azure Portal.

• In your Virtual Machine page, go to "Run command" in "Operations" section of VM menu.
• Select "RunShellScript" command.

• Paste the following command:

  for f in /etc/ssh/ssh_host_*_key; do ssh-keygen -l -f "$f"; done
  

• You will get an output like:

  Enable succeeded: 
  [stdout]
  256 SHA256:bKKCom8yh5gOuBNWaHHJ3rrnRXmCOAyPN/WximYEPAU /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)
  256 SHA256:IYeDl+gseYk46Acg4g2mcXGvCr7Z8FqOd+pCJz/KLHg /etc/ssh/ssh_host_ed25519_key.pub (ED25519)
  2048 SHA256:rA0lIXvHqFq7VHKQCqHwjsj28kw+tO0g/X4KnPpEjMk root@myazurevm (RSA)
  
  [stderr] 
  

  (the set of key types will vary with your VM image)

---

The feature can also be used via Azure CLI, what is shown in the link above and also in the answer by @mwik.

---

Check also my complete guide to Connecting securely to Microsoft Azure service with SFTP.

Answer 3

Old question, but for newcomers there is nowadays an alternative available by using run-command in Azure CLI. There is probably an equivalent for PowerShell too, but I have not investigated that.

az vm run-command invoke --name <your-vm-name> --command-id RunShellScript --scripts "cat /etc/ssh/ssh_host_ecdsa_key.pub"

will output a json document from which you can extract the public key. Beware though that this process is incredibly slow (~30 seconds per host), but you only need to run it once. See this gist for an example of how to update the known_hosts file with Ansible.

Answer 4

The RSA, DSA, ECDSA, and ED25519 keys are generated on first boot, and available in the boot diagnostics log.

If you don't catch it on the first boot, I don't think it's listed anywhere else in the portal. There's only one feasible, secure option of which I can think for recovering the fingerprint for an already-deployed VM.

1. Create a new VM.

2. Attach the VHD of the VM for which you need the fingerprint.

3. Verify your connection to the new VM using the fingerprint in the boot diagnostics.

4. Check the fingerprint for the generated /etc/ssh/ssh_host_rsa_key.pub file on the other disk.

   ssh-keygen -lf /{path}/ssh_host_rsa_key.pub

You may need to add the -E md5 switch if you need the hexadecimal encoded MD5 hash.

PowerShell

To get the boot diagnostics data via PowerShell:

Get-AzureRmVMBootDiagnosticsData -ResourceGroupName ExampleGroup -Name TestLab -Linux

Connecting with Putty

Azure computes the host key fingerprints as a Base64 encoded string of the SHA-256 hash of the public key. When you attempt to connect using Putty, it presents the fingerprint as a hexadecimal encoded string of the MD5 hash of the public key.

Fortunately, Azure also lists the full public key in the boot diagnostics log, where it says BEGIN SSH HOST KEY KEYS in the second image. With that, we can manually compute the fingerprint as presented by Putty.

C#

static string ComputeMD5FingerprintFromBase64(string encoded)
{
  // Convert Base64 string to byte array.
  byte[] pub = Convert.FromBase64String(encoded);

  // Compute MD5 hash.
  HashAlgorithm md5 = MD5.Create();
  byte[] hash = md5.ComputeHash(pub);

  return BitConverter.ToString(hash).Replace('-', ':');
}

Windows

For instructions on securely connecting to a Windows VM with RDP, see my answer on this StackOverflow question.

Answer 5

In their help document, there is a page talking about how to reset the password or ssh key:

https://learn.microsoft.com/en-us/azure/virtual-machines/linux/troubleshoot-ssh-connection

Answer 6

Windows VM Example

Select-AzureSubscription mysub $service = 'yourservicename1' $location = 'West US' New-AzureService -ServiceName $service -Location $location Add-AzureCertificate -CertToDeploy 'D:User-DatadevelopmentAzure Samplesmlwdevcert.cer' -ServiceName $service $cert1 = New-AzureCertificateSetting -Thumbprint D7BECD4D63EBAF86023BB4F1A5FBF5C2C924902A -StoreName 'My' New-AzureVMConfig -ImageName 'MSFT__Windows-Server-2012-Datacenter-201208.01-en.us-30GB.vhd' -InstanceSize 'Small' -Name 'win2012cert' | Add-AzureProvisioningConfig -Windows -Password 'somepass@1' -Certificates $cert1 | New-AzureVM -ServiceName $service

Linux VM Example

Select-AzureSubscription mysub $service = 'yourservicename1' $location = 'West US' New-AzureService -ServiceName $service -Location $location Add-AzureCertificate -CertToDeploy 'D:User-DatadevelopmentAzure Samplesmlwdevcert.cer' -ServiceName $service $sshkey = New-AzureSSHKey -PublicKey -Fingerprint D7BECD4D63EBAF86023BB4F1A5FBF5C2C924902A -Path '/home/admin/.ssh/authorized_keys' New-AzureVMConfig -ImageName 'CANONICAL__Canonical-Ubuntu-12-04-amd64-server-20120528.1.3-en-us-30GB.vhd' -InstanceSize 'Small' -Name 'linuxwithcert' | Add-AzureProvisioningConfig -Linux -LinuxUser 'mwasham' -Password 'somepass@1' -SSHPublicKeys $sshKey | New-AzureVM -ServiceName $service

Note: The -Certificates and -SSHPublicKeys parameters are arrays so they can accept multiple certificates. -SSHPublicKeys $sshKey1,$sshKey2

For Linux there is also the -SSHKeyPairs parameter for passing a key pair instead of just the public key. -Certificates can handle both types on Windows.

Answer 7

Perhaps this is exactly what you're looking for. I will try it with you on my account right now.

Basically it looks like you need to attach a .pem upon creation.

Which should yield your certificate thumbprint.