az ssh vm "Bad permissions" on a folder it created

[silverl]

Describe the bug

azure-cli 2.51.0

I'm attempting to use az ssh vm from my Windows PC to a Linux VM in Azure.

Here's what I'm getting.

OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
Bad permissions. Try removing permissions for user: BUILTIN\\Users (S-1-5-32-545) on file C:/Users/REDACTED/AppData/Local/Temp/aadsshcert9tfesyxc/id_rsa.pub-aadcert.pub.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcert9tfesyxc\\id_rsa.pub-aadcert.pub' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcert9tfesyxc\\id_rsa.pub-aadcert.pub": bad permissions

With the file Explorer open, I can see the folder aadsshcert9tfesyxc created on the fly, then deleted.

So it appears to me that the az cli is creating a folder in which to place some keys, then rejecting its use because it doesn't like the permissions of the folder it just made.

Related command

az ssh vm --ip a.b.c.d

Errors

The command failed as stated above.

Issue script & Debug output

cli.knack.cli: Command arguments: ['ssh', 'vm', '--ip', 'IP_REDACTED', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x02D8B610>, <function OutputProducer.on_global_arguments at 0x02E8D850>, <function CLIQuery.on_global_arguments at 0x02EA14A8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ssh': ['azext_ssh']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: Total (0)                 0.000         0         0
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: ssh                       0.085         1         4  C:\Users\REDACTED\.azure\cliextensions\ssh
cli.azure.cli.core: Total (1)                 0.085         1         4
cli.azure.cli.core: Loaded 1 groups, 4 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : ssh vm
cli.azure.cli.core: Command table: ssh vm
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0504C778>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\REDACTED\.azure\commands\2023-08-29.10-40-11.ssh_vm.29752.log'.
az_command_data_logger: command args: ssh vm --ip {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x050748E0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x05082850>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x05082A48>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x02E8D898>, <function CLIQuery.handle_query_parameter at 0x02EA14F0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x05082A00>]
az_command_data_logger: extension name: ssh
az_command_data_logger: extension version: 2.0.1
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ComputeManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\REDACTED\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\REDACTED\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/IP_REDACTED/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/IP_REDACTED/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azext_ssh.ssh_utils: Platform architecture: 32bit
cli.azext_ssh.ssh_utils: OS architecture: 64bit
cli.azext_ssh.ssh_utils: System Root: C:\WINDOWS
cli.azext_ssh.ssh_utils: Attempting to run ssh-keygen from path C:\WINDOWS\SysNative\openSSH\ssh-keygen.exe
cli.azext_ssh.ssh_utils: Running ssh-keygen command C:\WINDOWS\SysNative\openSSH\ssh-keygen.exe -f C:\Users\REDACTED\AppData\Local\Temp\aadsshcertmetiidwb\id_rsa -t rsa -q -N
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/IP_REDACTED/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/IP_REDACTED/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/IP_REDACTED/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: REDACTED
msal.broker: [MSAL:0001]        INFO    LogTelemetryData:332    Printing Telemetry for Correlation ID: ba296722-b559-485d-ac1d-e8e0ecd006b7
msal.broker: [MSAL:0001]        INFO    LogTelemetryData:340    Key: start_time, Value: 2023-08-29T15:40:11.000Z
msal.broker: [MSAL:0001]        INFO    LogTelemetryData:340    Key: api_name, Value: ReadAccountById
msal.broker: [MSAL:0001]        INFO    LogTelemetryData:340    Key: was_request_throttled, Value: false
msal.broker: [MSAL:0001]        INFO    LogTelemetryData:340    Key: request_duration, Value: 0
msal.broker: [MSAL:0001]        INFO    LogTelemetryData:340    Key: authority_type, Value: Unknown
msal.broker: [MSAL:0001]        INFO    LogTelemetryData:340    Key: msal_version, Value: 1.1.0+local
msal.broker: [MSAL:0001]        INFO    LogTelemetryData:340    Key: correlation_id, Value: ba296722-b559-485d-ac1d-e8e0ecd006b7
msal.broker: [MSAL:0001]        INFO    LogTelemetryData:340    Key: stop_time, Value: 2023-08-29T15:40:11.000Z
msal.broker: [MSAL:0001]        INFO    LogTelemetryData:340    Key: msalruntime_version, Value: 0.13.9
msal.broker: [MSAL:0001]        INFO    LogTelemetryData:340    Key: is_successful, Value: true
msal.broker: [MSAL:0002]        INFO    SetCorrelationId:220    Set correlation ID: ba296722-b559-485d-ac1d-e8e0ecd006b7
msal.broker: [MSAL:0002]        INFO    EnqueueBackgroundRequest:677    The original authority is 'https://login.microsoftonline.com/IP_REDACTED'
msal.broker: [MSAL:0002]        INFO    ModifyAndValidateAuthParameters:182     Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
msal.broker: [MSAL:0002]        INFO    ModifyAndValidateAuthParameters:182     Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
msal.broker: [MSAL:0002]        INFO    ModifyAndValidateAuthParameters:182     Additional query parameter added successfully. Key: '(pii)' Value: '(pii)'
msal.broker: [MSAL:0002]        INFO    ModifyAndValidateAuthParameters:199     Authority Realm: IP_REDACTED
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:332    Printing Telemetry for Correlation ID: ba296722-b559-485d-ac1d-e8e0ecd006b7
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: start_time, Value: 2023-08-29T15:40:11.000Z
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: api_name, Value: AcquireTokenSilently
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: was_request_throttled, Value: false
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: request_duration, Value: 3
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: authority_type, Value: AAD
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: access_token_expiry_time, Value: 2023-08-29T15:54:44.000Z
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: read_token, Value: ID|AT|FRT
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: msal_version, Value: 1.1.0+local
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: client_id, Value: REDACTED
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: correlation_id, Value: ba296722-b559-485d-ac1d-e8e0ecd006b7
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: stop_time, Value: 2023-08-29T15:40:11.000Z
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: msalruntime_version, Value: 0.13.9
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: original_authority, Value: https://login.microsoftonline.com/IP_REDACTED
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: request_eligible_for_broker, Value: true
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: broker_app_used, Value: false
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: additional_query_parameters_count, Value: 3
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: auth_flow, Value: AT
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: is_successful, Value: true
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:340    Key: authorization_type, Value: WindowsIntegratedAuth
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:345    Printing Execution Flow:
msal.broker: [MSAL:0003]        INFO    LogTelemetryData:353    {"t":"8b2yn","tid":3,"ts":0,"l":2},{"t":"8dqkx","tid":3,"ts":1,"l":2},{"t":"8dqik","tid":3,"ts":1,"l":2},{"t":"8b2ht","tid":3,"ts":1,"l":2},{"t":"7e60d","tid":3,"ts":1,"l":2,"a":2,"ie":0},{"t":"7e60e","tid":3,"ts":1,"l":2,"a":2,"ie":1},{"t":"8dqin","tid":3,"ts":1,"l":2},{"t":"7e60f","tid":3,"ts":1,"l":2,"a":2,"ie":0},{"t":"7e60g","tid":3,"ts":2,"l":2,"a":2,"ie":1},{"t":"7e60h","tid":3,"ts":2,"l":2,"a":2,"ie":0},{"t":"7e60i","tid":3,"ts":3,"l":2,"a":2,"ie":1},{"t":"8dqit","tid":3,"ts":3,"l":2},{"t":"6xuag","tid":3,"ts":3,"l":2}
msal.token_cache: event={
    "_account_id": "70eb022a-50f6-411d-8920-abcdc79bac01",
    "client_id": "REDACTED",
    "data": {
        "key_id": "7ccbfc478e65e3d8958b363ab7ed0ecfe345b238fbaef48ae1a5a09685a87b9a",
        "req_cnf": REDACTED
        "token_type": "ssh-cert"
    },
    "response": {
        "_account_id": "70eb022a-50f6-411d-8920-abcdc79bac01",
        "_msalruntime_telemetry": {
            "access_token_expiry_time": "2023-08-29T15:54:44.000Z",
            "additional_query_parameters_count": "3",
            "api_name": "AcquireTokenSilently",
            "auth_flow": "AT",
            "authority_type": "AAD",
            "authorization_type": "WindowsIntegratedAuth",
            "broker_app_used": "false",
            "client_id": "REDACTED",
            "correlation_id": "ba296722-b559-485d-ac1d-e8e0ecd006b7",
            "is_successful": "true",
            "msal_version": "1.1.0+local",
            "msalruntime_version": "0.13.9",
            "original_authority": "https://login.microsoftonline.com/IP_REDACTED",
            "read_token": "ID|AT|FRT",
            "request_duration": "3",
            "request_eligible_for_broker": "true",
            "start_time": "2023-08-29T15:40:11.000Z",
            "stop_time": "2023-08-29T15:40:11.000Z",
            "was_request_throttled": "false"
        },
        "access_token": "********",
        "client_info": "REDACTED",
        "expires_in": 873,
        "id_token": "********",
        "id_token_claims": "********",
        "scope": "https://pas.windows.net/CheckMyAccess/Linux/user_impersonation https://pas.windows.net/CheckMyAccess/Linux/.default",
        "token_type": "ssh-cert"
    },
    "scope": [
        "https://pas.windows.net/CheckMyAccess/Linux/user_impersonation",
        "https://pas.windows.net/CheckMyAccess/Linux/.default"
    ],
    "token_endpoint": "https://login.microsoftonline.com/IP_REDACTED/oauth2/v2.0/token"
}
cli.azext_ssh.custom: Generating certificate C:\Users\REDACTED\AppData\Local\Temp\aadsshcertmetiidwb\id_rsa.pub-aadcert.pub
cli.azext_ssh.ssh_utils: Platform architecture: 32bit
cli.azext_ssh.ssh_utils: OS architecture: 64bit
cli.azext_ssh.ssh_utils: System Root: C:\WINDOWS
cli.azext_ssh.ssh_utils: Attempting to run ssh-keygen from path C:\WINDOWS\SysNative\openSSH\ssh-keygen.exe
cli.azext_ssh.ssh_utils: Running ssh-keygen command C:\WINDOWS\SysNative\openSSH\ssh-keygen.exe -L -f C:\Users\REDACTED\AppData\Local\Temp\aadsshcertmetiidwb\id_rsa.pub-aadcert.pub
cli.azext_ssh.ssh_utils: Platform architecture: 32bit
cli.azext_ssh.ssh_utils: OS architecture: 64bit
cli.azext_ssh.ssh_utils: System Root: C:\WINDOWS
cli.azext_ssh.ssh_utils: Attempting to run ssh from path C:\WINDOWS\SysNative\openSSH\ssh.exe
cli.azext_ssh.ssh_utils: Running ssh command C:\WINDOWS\SysNative\openSSH\ssh.exe IP_REDACTED -l REDACTED@REDACTED.com -i C:\Users\REDACTED\AppData\Local\Temp\aadsshcertmetiidwb\id_rsa -o CertificateFile="C:\Users\REDACTED\AppData\Local\Temp\aadsshcertmetiidwb\id_rsa.pub-aadcert.pub" -vvv
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3
debug3: Failed to open file:C:/Users/REDACTED/.ssh/config error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname IP_REDACTED is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> 'C:\\Users\\REDACTED/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> 'C:\\Users\\REDACTED/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to IP_REDACTED [IP_REDACTED] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa type 0
debug1: certificate file C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.3
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to IP_REDACTED:22 as 'REDACTED@REDACTED.com'
debug3: record_hostkey: found key type ED25519 in file C:\\Users\\REDACTED/.ssh/known_hosts:10
debug3: load_hostkeys_file: loaded 1 keys from IP_REDACTED
debug3: Failed to open file:C:/Users/REDACTED/.ssh/known_hosts2 error:2
debug1: load_hostkeys: fopen C:\\Users\\REDACTED/.ssh/known_hosts2: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:yKjAyCzYG4en7DTLFoM6WTLB5uD2SQIH5xKyxgZVovI
debug3: record_hostkey: found key type ED25519 in file C:\\Users\\REDACTED/.ssh/known_hosts:10
debug3: load_hostkeys_file: loaded 1 keys from IP_REDACTED
debug3: Failed to open file:C:/Users/REDACTED/.ssh/known_hosts2 error:2
debug1: load_hostkeys: fopen C:\\Users\\REDACTED/.ssh/known_hosts2: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts: No such file or directory
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: load_hostkeys: fopen __PROGRAMDATA__\\ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'IP_REDACTED' is known and matches the ED25519 host key.
debug1: Found key in C:\\Users\\REDACTED/.ssh/known_hosts:10
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug3: unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2
debug1: pubkey_prepare: ssh_get_authentication_socket: The socket is not connected
debug1: Will attempt key: C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub RSA-CERT SHA256:UmRf0jUjqZ54mzymzE6ycD5pcZ9RxqWJC7NmKUhpVJw explicit
debug1: Will attempt key: C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa RSA SHA256:AylRujWq33jgUT4gERrhUT7FNVN2S2DJKXbT+oqTj8A explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised)
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub RSA-CERT SHA256:UmRf0jUjqZ54mzymzE6ycD5pcZ9RxqWJC7NmKUhpVJw explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub RSA-CERT SHA256:UmRf0jUjqZ54mzymzE6ycD5pcZ9RxqWJC7NmKUhpVJw explicit
debug3: sign_and_send_pubkey: RSA-CERT SHA256:UmRf0jUjqZ54mzymzE6ycD5pcZ9RxqWJC7NmKUhpVJw
debug1: sign_and_send_pubkey: no separate private key for certificate "C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub"
debug3: sign_and_send_pubkey: signing using rsa-sha2-512-cert-v01@openssh.com SHA256:UmRf0jUjqZ54mzymzE6ycD5pcZ9RxqWJC7NmKUhpVJw
Bad permissions. Try removing permissions for user: BUILTIN\\Users (S-1-5-32-545) on file C:/Users/REDACTED/AppData/Local/Temp/aadsshcertmetiidwb/id_rsa.pub-aadcert.pub.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa.pub-aadcert.pub": bad permissions
debug1: Offering public key: C:\\Users\\REDACTED\\AppData\\Local\\Temp\\aadsshcertmetiidwb\\id_rsa RSA SHA256:AylRujWq33jgUT4gERrhUT7FNVN2S2DJKXbT+oqTj8A explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
REDACTED@REDACTED.com@IP_REDACTED: Permission denied (publickey).
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x05071FA0>, <function _x509_from_base64_to_hex_transform at 0x05074028>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0504C898>]
az_command_data_logger: exit code: 0
cli.__main__: Command ran in 4.077 seconds (init: 0.227, invoke: 3.850)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4750 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\REDACTED\.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

I should be able to login with SSH and my AAD SSO.

Environment Summary

azure-cli                         2.51.0

core                              2.51.0
telemetry                          1.1.0

Extensions:
ssh                                2.0.1

Dependencies:
msal                            1.24.0b1
azure-mgmt-resource             23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\lsilverman\.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb  7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.

Additional context

Nothing else

[yonzhan]

Thank you for opening this issue, we will look into it.

[adam-wood]

Not sure if this will help, but I have been having this issue intermittently for the last 2-3 months as well. I notice it often happens if a previous session was closed due to inactivity. Often waiting for a 5-10min and trying again can help. In the meantime, I use the same command from a WSL terminal, and have never had the issue on WSL.

I have observed the issue on Az PowerShell module versions 10.0.0,10.1.0,10.2.0
The issue has also persisted across new machines with fresh install of Win11.

[silverl]

@adam-wood
I tried using an Ubuntu WSL terminal but got the same error. Realized it was still using the Windows-installed az.exe.

Installed Ubuntu az cli, and even though which az indicated /usr/bin/az, it still executed the Windows az.exe. I don't get that...

Finally, when explicitly specifying the full path /usr/bin/az I was able to (1) login and (2) SSH.

Thanks for the tip!

[batourin]

I can confirm - same issue - Windows AZ CLI produce exactly same error.
Interestingly, the preceeding folder (C:\Users\\AppData\Local\Temp\) does not have BUILTIN\Users, SID:S-1-5-32-545 user in permission list.

[sergioeugenio]

Same issue for me, from few days ago. Now I can´t connect to my VMs by "az shh". Always the same error.