Linux deployment on Windows Azure requires PEM or DER encoded x509 public key at the provisioning time to enable authenticated remote login through SSH. This post is complimentary to http://www.windowsazure.com/en-us/manage/linux/how-to-guides/ssh-into-linux/ and encapsulates key generation into a simple shell script on both Linux and Windows.
In this write up, we will generate a self-signed public/private kley pair for the purpose of testing using openssl to be used during the provisioning of Linux VM. The generated private key can be used to connect to Linux using ssh command from within Linux or use Putty.exe as SSH client in either Linux or Windows.
In this write up, “Linux” and “Ubuntu” are used interchangeably; Ubuntu 11.10 was used to test this process. Here are the detailed steps for generating Windows Azure compatible SSH key pair on Ubuntu and Windows:
The above command should bring openssl to the latest version. The key generation process described here has been tested with OpenSSL 1.0.1c.
The following is the bash script for key pair generation; let us save this into a file named gensshkey.sh:
#!/bin/bash REQUIRED_ARGS=1 E_NOT_ENOUGH_ARGS=65
#first argument will be used as the key prefix #second argument is optional and if given will be used as a pass #phrase for DES3 protection of the private key case $# in 1) openssl req -x509 -days 365 -newkey rsa:2048 -keyout $1sshpvt.pem -out $1pub.pem -nodes openssl rsa -in $1sshpvt.pem -out $1pvt.pem ;; 2) openssl req -x509 -days 365 -newkey rsa:2048 -keyout $1sshpvt.pem -out $1pub.pem -passout pass:$2 openssl rsa -in $1sshpvt.pem -passin pass:$2 -out $1pvt.pem -des3 -passout pass:$2 ;; *) echo "Usage for unprotected private key: gensshkey.sh <key_prefix>" echo "Example: gensshkey.sh \"db\"" echo "Usage for password protected private key: gensshkey.sh <key_prefix> <pass phrase>" echo "Example: gensshkey.sh db pass@word1" exit $E_NOT_ENOUGH_ARGS ;; esac echo "generated $1sshpvt.pem, $1pub.pem and $1pvt.pem"
gensshkey.sh takes two command line arguments: key prefix and password as shown below:
Execution of the openssl command through the above script will prompt for geo and personal information for which defaults can be accepted. The values you supply will not impact the integrity of the keys in anyway. This will generate dbsshkey.pem, dbpvt.pem and dbpub.pem with the private key DES3 encrypted with pass phrase “pass@word1”.
gensshkey.sh can also be used to generate a clear text private key (not recommended for real production use) by leaving out the pass phrase as shown below:
dbsshkey.pem generated above can be used with ssh command from within the local Linux box. But first, we need to restrict the permissions to this key file; otherwise ssh will complain that the key is too open. Following is the command sequence:
If you prefer putty.exe as a SSH client, use dbpvt.pem to convert it into .PPK format (from the “Conversions –> Import Key –> Save Private Key menu sequence in the tool bar) using puttygen.exe and use the .ppk file with putty.exe to authenticate the client. Usage of puttygen.exe is documented here: http://www.windowsazure.com/en-us/manag e/linux/how-to-guides/ssh-into-linux/.
Linux VM provisioning process is documented at: http://www.windowsazure.com/en-us/manage/linux/tutorials/virtual-machine-from-gallery/. During the step 4 of the provisioning process shown at the above page, check “SECURE USING SSH KEY” and provide the public key file (eg. dbpub.pem generated above) so that the provisioning engine can inject public key into the .ssh/authorized_keys folder.
Windows Server 2008 R2/Windows 7
If you are planning to use generate SSH keys on a Windows client (this was tested on Windows Server 2008 R2; it should work on Windows 7 as well) and use putty.exe on Windows to SSH into an Azure hosted Linux box, here is a simple shell script to help with the keys.
Windows binaries of the openssl can be obtained from http://www.openssl.org/related/binaries.html. The following batch file simplifies the usage of openssl which we will save it as gensshkey_win.cmd.
@echo off if "%1" == "" goto error if "%2" == "" goto nodes openssl req -x509 -config C:\OpenSSL-Win64\bin\openssl.cfg -days 365 -newkey rsa:2048 -keyout %1sshkey.pem -out %1pub.pem -passout pass:%2 openssl rsa -in %1sshkey.pem -passin pass:%2 -out %1pvt.pem -des3 -passout pass:%2 echo "generated" %1sshkey.pem, %1pub.pem and %1pvt.pem goto eof :nodes openssl req -x509 -config C:\OpenSSL-Win64\bin\openssl.cfg -days 365 -newkey rsa:2048 -keyout %1sshkey.pem -out %1pub.pem -nodes openssl rsa -in %1sshkey.pem -out %1pvt.pem echo "generated" %1sshkey.pem, %1pub.pem and %1pvt.pem goto eof :error echo "usage: gensshkey_win <key prefix> <optional pass phrase>" echo "key prefix used to prefix the generated files; use a prefix that represent your key usage" echo "example: gensshkey_win db pass@word1 echo "example: gensshkey_win db :eof
Execute the following command to generate a pass phrase protected key pair:
Execution of the openssl through the above command will prompt for geo and personal information as mentioned previously; just hit ENTER if you are ok with the defaults.
This will generate dbsshkey.pem, dbpvt.pem and dbpub.pem with the private key DES3 encrypted with pass phrase “pass@word1” similar to the openssl process on Linux.
For clear text private key, invoke the above shell script with just the prefix as shown below.
dbsshkey.pem thus generated can be used from within Linux to connect to other Linux instances using ssh command. dbpvt.pem can be used to convert it to .PPK format through puttygen.exe for using putty.exe usage as the SSH client on Windows and Linux.
For more Linux on Windows Azure related information visit: http://www.windowsazure.com/en-us/manage/linux/.