Skip to content

az ssh vm --subscription flag doesn't work for subscriptions in different tenants. #30119

Description

@ie-rherrero

Describe the bug

When using the --subscription flag with az ssh vm, I can't access a VM that lives inside a subscription of a different tenant than the tenant of the active subscription.

Related command

az ssh vm

Errors

XXX@YYY: Permission denied (publickey).

Issue script & Debug output

az ssh vm --subscription <TARGET SUBSCRIPTION ID> --ip <TARGET VM IP> --debug

In the debug log we can see that some request is made to the tenant of the active subscription.

DEBUG: cli.knack.cli: Command arguments: ['ssh', 'vm', '--subscription', '<TARGET SUBSCRIPTION ID>', '--ip', '<TARGET VM IP>', '--debug']
DEBUG: cli.knack.cli: __init__ debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x710a9c19e660>, <function OutputProducer.on_global_arguments at 0x710a9bf11b20>, <function CLIQuery.on_global_arguments at 0x710a9bf47600>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'ssh': ['azext_ssh']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name                  Load Time    Groups  Commands
DEBUG: cli.azure.cli.core: Total (0)                 0.000         0         0
DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
DEBUG: cli.azure.cli.core: Loading extensions:
DEBUG: cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
DEBUG: cli.azure.cli.core: ssh                       0.179         1         4  /home/<user>/.azure/cliextensions/ssh
DEBUG: cli.azure.cli.core: Total (1)                 0.179         1         4  
DEBUG: cli.azure.cli.core: Loaded 1 groups, 4 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command  : ssh vm
DEBUG: cli.azure.cli.core: Command table: ssh vm
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x710a9b1dde40>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/<user>/.azure/commands/2024-10-17.16-05-45.ssh_vm.44094.log'.
INFO: az_command_data_logger: command args: ssh vm --subscription {} --ip {} --debug
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x710a9b2145e0>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x710a9b036520>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x710a9b036660>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x710a9b036700>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x710a9bf11bc0>, <function CLIQuery.handle_query_parameter at 0x710a9bf476a0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x710a9b0365c0>]
INFO: az_command_data_logger: extension name: ssh
INFO: az_command_data_logger: extension version: 2.0.5
DEBUG: cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ComputeManagementClient
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/<user>/.azure/msal_token_cache.json', encrypt=False
DEBUG: cli.azure.cli.core.auth.binary_cache: load: /home/<user>/.azure/msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/<TARGET TENANT ID>
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/<TARGET TENANT ID>/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/<TARGET TENANT ID>/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/<TARGET TENANT ID>/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/<TARGET TENANT ID>/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/<TARGET TENANT ID>/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/<TARGET TENANT ID>/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/<TARGET TENANT ID>/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/<TARGET TENANT ID>/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? None
DEBUG: cli.azext_ssh.ssh_utils: Running ssh-keygen command ssh-keygen -f /tmp/aadsshcertbf_lqcdb/id_rsa -t rsa -q -N 
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/<ACTIVE TENANT ID>
DEBUG: msal.authority: openid_config("https://login.microsoftonline.com/<ACTIVE TENANT ID>/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/<ACTIVE TENANT ID>/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/<ACTIVE TENANT ID>/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/<ACTIVE TENANT ID>/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/<ACTIVE TENANT ID>/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/<ACTIVE TENANT ID>/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/<ACTIVE TENANT ID>/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/<ACTIVE TENANT ID>/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? None
DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://pas.windows.net/CheckMyAccess/Linux/.default',), kwargs={'data': {'token_type': 'ssh-cert', 'req_cnf': '{"kty": "RSA", "n": "*****", "e": "AQAB", "kid": "*****"}', 'key_id': '*****'}}
DEBUG: cli.azure.cli.core.auth.msal_credentials: UserCredential.get_token: scopes=('https://pas.windows.net/CheckMyAccess/Linux/.default',), claims=None, kwargs={'data': {'token_type': 'ssh-cert', 'req_cnf': '{"kty": "RSA", "n": "*****", "e": "AQAB", "kid": "*****"}', 'key_id': '*****'}}
DEBUG: msal.application: Found 1 RTs matching {'environment': 'login.microsoftonline.com', 'home_account_id': '********.e0cb408c-c0f8-4164-819b-6bbca860207b', 'family_id': '1'}
DEBUG: msal.telemetry: Generate or reuse correlation_id: 60e11f6f-4514-46c4-900c-59218814cc05
DEBUG: msal.application: Cache attempts an RT
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
DEBUG: urllib3.connectionpool: https://login.microsoftonline.com:443 "POST /<ACTIVE TENANT ID>/oauth2/v2.0/token HTTP/1.1" 200 5257
DEBUG: msal.token_cache: event={
    "client_id": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
    "data": {
        "claims": "{\"access_token\": {\"xms_cc\": {\"values\": [\"CP1\"]}}}",
        "key_id": "*****",
        "refresh_token": "********",
        "req_cnf": "{\"kty\": \"RSA\", \"n\": \"*****\", \"e\": \"AQAB\", \"kid\": \"*****\"}",
        "scope": [
            "profile",
            "https://pas.windows.net/CheckMyAccess/Linux/.default",
            "openid",
            "offline_access"
        ],
        "token_type": "ssh-cert"
    },
    "environment": "login.microsoftonline.com",
    "grant_type": "refresh_token",
    "params": null,
    "response": {
        "access_token": "********",
        "client_info": "*****",
        "expires_in": 3599,
        "ext_expires_in": 3599,
        "foci": "1",
        "id_token": "********",
        "scope": "https://pas.windows.net/CheckMyAccess/Linux/user_impersonation https://pas.windows.net/CheckMyAccess/Linux/.default",
        "token_type": "ssh-cert"
    },
    "scope": [
        "https://pas.windows.net/CheckMyAccess/Linux/user_impersonation",
        "https://pas.windows.net/CheckMyAccess/Linux/.default"
    ],
    "skip_account_creation": true,
    "token_endpoint": "https://login.microsoftonline.com/<ACTIVE TENANT ID>/oauth2/v2.0/token"
}
DEBUG: cli.azext_ssh.custom: Generating certificate /tmp/aadsshcertbf_lqcdb/id_rsa.pub-aadcert.pub
DEBUG: cli.azext_ssh.ssh_utils: Running ssh-keygen command ssh-keygen -L -f /tmp/aadsshcertbf_lqcdb/id_rsa.pub-aadcert.pub
DEBUG: cli.azext_ssh.ssh_utils: Running ssh command ssh <TARGET VM IP> -l <username> -i /tmp/aadsshcertbf_lqcdb/id_rsa -o CertificateFile="/tmp/aadsshcertbf_lqcdb/id_rsa.pub-aadcert.pub" -vvv
OpenSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/<user>/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/<user>/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/<user>/.ssh/known_hosts2'
debug2: resolving "<TARGET VM IP>" port 22
debug3: resolve_host: lookup <TARGET VM IP>:22
debug3: ssh_connect_direct: entering
debug1: Connecting to <TARGET VM IP> [20.73.103.32] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /tmp/aadsshcertbf_lqcdb/id_rsa type 0
debug1: certificate file /tmp/aadsshcertbf_lqcdb/id_rsa.pub-aadcert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.10 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to <TARGET VM IP>:22 as '<username>'
debug3: record_hostkey: found key type ED25519 in file /home/<user>/.ssh/known_hosts:4
debug3: record_hostkey: found key type RSA in file /home/<user>/.ssh/known_hosts:5
debug3: record_hostkey: found key type ECDSA in file /home/<user>/.ssh/known_hosts:6
debug3: load_hostkeys_file: loaded 3 keys from <TARGET VM IP>
debug1: load_hostkeys: fopen /home/<user>/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,kex-strict-s-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:BqmrW23nPe3FKGKuT8crKt7r1vy/gkcvXpVxmf6wXHo
debug3: record_hostkey: found key type ED25519 in file /home/<user>/.ssh/known_hosts:4
debug3: record_hostkey: found key type RSA in file /home/<user>/.ssh/known_hosts:5
debug3: record_hostkey: found key type ECDSA in file /home/<user>/.ssh/known_hosts:6
debug3: load_hostkeys_file: loaded 3 keys from <TARGET VM IP>
debug1: load_hostkeys: fopen /home/<user>/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '<TARGET VM IP>' is known and matches the ED25519 host key.
debug1: Found key in /home/<user>/.ssh/known_hosts:4
debug3: send packet: type 21
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /tmp/aadsshcertbf_lqcdb/id_rsa.pub-aadcert.pub RSA-CERT SHA256:3AFdxeW/Z2RY8RCXOgZBp+Sn2voBePfXWxR2eO64Wpo explicit
debug1: Will attempt key: /home/<user>/.ssh/id_rsa RSA SHA256:ZSnrcCoZ7UM1vt3mA0QGtXLiZR+wsh/G2xjYmfD2hVY agent
debug1: Will attempt key: keys/jenkins RSA SHA256:epUyuPLLZQwl2RiCDLxQDgDV20LvDxO0aB522rOAJlQ agent
debug1: Will attempt key: /tmp/aadsshcertbf_lqcdb/id_rsa RSA SHA256:3AFdxeW/Z2RY8RCXOgZBp+Sn2voBePfXWxR2eO64Wpo explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /tmp/aadsshcertbf_lqcdb/id_rsa.pub-aadcert.pub RSA-CERT SHA256:3AFdxeW/Z2RY8RCXOgZBp+Sn2voBePfXWxR2eO64Wpo explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/<user>/.ssh/id_rsa RSA SHA256:ZSnrcCoZ7UM1vt3mA0QGtXLiZR+wsh/G2xjYmfD2hVY agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering public key: keys/jenkins RSA SHA256:epUyuPLLZQwl2RiCDLxQDgDV20LvDxO0aB522rOAJlQ agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering public key: /tmp/aadsshcertbf_lqcdb/id_rsa RSA SHA256:3AFdxeW/Z2RY8RCXOgZBp+Sn2voBePfXWxR2eO64Wpo explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
<username>@<TARGET VM IP>: Permission denied (publickey).
DEBUG: cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x710a9b2174c0>, <function _x509_from_base64_to_hex_transform at 0x710a9b217560>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnFilterResult []
DEBUG: cli.knack.cli: Event: Cli.SuccessfulExecute []
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x710a9b1de0c0>]
INFO: az_command_data_logger: exit code: 0
INFO: cli.__main__: Command ran in 2.465 seconds (init: 0.147, invoke: 2.317)
INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1
INFO: telemetry.client: Accumulated 0 events. Flush the clients.
INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1
INFO: telemetry.save: Save telemetry record of length 4276 in cache file under /home/<user>/.azure/telemetry/20241017160547931
INFO: telemetry.main: Begin creating telemetry upload process.
INFO: telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.11/site-packages/azure/cli/telemetry/__init__.py /home/<user>/.azure /home/<user>/.azure/telemetry/20241017160547931"
INFO: telemetry.process: Return from creating process 44103
INFO: telemetry.main: Finish creating telemetry upload process.

Expected behavior

If this works:

az account set -s XXX
az ssh vm --ip 1.2.3.4

then

az ssh vm --subscription XXX --ip 1.2.3.4

should also work.

Environment Summary

azure-cli                         2.65.0

core                              2.65.0
telemetry                          1.1.0

Extensions:
account                            0.2.5
ssh                                2.0.5

Dependencies:
msal                              1.31.0
azure-mgmt-resource               23.1.1

Python location '/opt/az/bin/python3'
Extensions directory '/home/rherrero/.azure/cliextensions'

Python (Linux) 3.11.8 (main, Sep 25 2024, 11:33:44) [GCC 11.4.0]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.

Additional context

No response

Metadata

Metadata

Assignees

Labels

ARMaz resource/group/lock/tag/deployment/policy/managementapp/account management-groupAuto-AssignAuto assign by botSSHService AttentionThis issue is responsible by Azure service team.VM SSHact-identity-squadact-observability-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions