Update 2023-09-15 Using Control Master
This is my preferred approach now, as it is simple to use, and doesn’t come with the added security issues of having authentication keys lying around.
It utilises an SSH capability called ControlMaster, which multiplexes multiple SSH sessions over the same connection. Only the initial connection requires authentication, then, all subsequent SSH or SCP calls to the same account+host will use the authenticated connection.
Step 1 is to setup you SSH to use ControlMaster. In ~/.ssh/config add
host *
ControlMaster auto
ControlPath ~/.ssh/ssh_mux_%h_%p_%r
Then, your first connection will be az ssh vm --ip xx.yy.zz.aa.
Once you connect, note your username, either from the prompt, or use whoami.
$ whoami
[email protected]
Now, for your scp or ssh call connect to [email protected]@xx.yy.zz.aa.
The ControlMaster will persist until the last connection closes.
Generating SSH Config
Azure support Azure AD managed SSHing into Linux VMs using a command such as az ssh vm --ip 10.1.1.1. This includes controlling sudo access using Azure AD groups. Super useful.
However, in order to get the file transfer component of ssh (scp) to work, we need to jump through a couple of poorly documented hoops.
First, we need to generate an ssh config for each VM we want to scp into. This will include the Azure certificate which is required to connect, in addition to the SSH key
az ssh config --ip 10.1.1.1 --file azuressh.config
This can now be used for vanilla SSH, and for scp using the -F flag.
ssh -F azuressh.config 10.1.1.1
scp -F azuressh.config 10.1.1.1:somefile .
Note, this command generates the keys and certificates into a temporary directory, so they will be cleaned up on reboot. It is possible to specify the output path for these files as part of the az ssh config command, but I’ll leave that up to you to figure our.
Just remember to secure these files, as they provide passwordless access to a remote machine.