[SSH] SSHArc Public Preview

linter_exclusions.yml

@@ -2265,6 +2265,11 @@ ssh vm:
     ssh_args:
       rule_exclusions:
         - no_positional_parameters
+ssh arc:
+  parameters:
+    ssh_args:
+      rule_exclusions:
+        - no_positional_parameters
 storage account create:
   parameters:
     hierarchical_namespace:

src/ssh/HISTORY.md

@@ -1,5 +1,15 @@
 Release History
 ===============
+1.1.0
+-----
+* SSHArc Public Preview
+* Add support for connecting to Arc Servers using AAD Certificates or Local User credentials.
+* New command az ssh arc.
+* New parameters: --resource-type and --ssh-proxy-folder.
+* Validate that target machine exists before attempting to connect.
+* Stop looking for OpenSSH client executables under C:\Windows\System32\OpenSSH on Windows. Path variable must be set properly for pre-installed OpenSSH.
+* Append username to host name on config files when using local user credentials.
+
 1.0.1
 -----
 * Added --ssh-client-folder parameter.
@@ -68,4 +78,4 @@ Release History
 
 0.1.0
 -----
-* Initial release.
+* Initial release.

src/ssh/azext_ssh/_client_factory.py

@@ -0,0 +1,31 @@
+# --------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+#
+# Code generated by Microsoft (R) AutoRest Code Generator.
+# Changes may cause incorrect behavior and will be lost if the code is
+# regenerated.
+# --------------------------------------------------------------------------
+
+from azure.cli.core.commands.client_factory import get_mgmt_service_client
+
+
+def cf_hybridconnectivity_cl(cli_ctx, *_):
+    from azext_ssh.vendored_sdks.hybridconnectivity import HybridConnectivityManagementAPI
+    return get_mgmt_service_client(cli_ctx,
+                                   HybridConnectivityManagementAPI)
+
+
+def cf_endpoint(cli_ctx, *_):
+    return cf_hybridconnectivity_cl(cli_ctx).endpoints
+
+
+def cf_connectedmachine_cl(cli_ctx, *_):
+    from azext_ssh.vendored_sdks.connectedmachine import ConnectedMachine
+    return get_mgmt_service_client(cli_ctx,
+                                   ConnectedMachine)
+
+
+def cf_machine(cli_ctx, *_):
+    return cf_connectedmachine_cl(cli_ctx).machines

src/ssh/azext_ssh/_help.py

@@ -7,19 +7,19 @@
 
 helps['ssh'] = """
     type: group
-    short-summary: SSH into resources (Azure VMs, etc) using AAD issued openssh certificates
+    short-summary: SSH into resources (Azure VMs, Arc servers, etc) using AAD issued openssh certificates.
 """
 
 helps['ssh vm'] = """
     type: command
-    short-summary: SSH into Azure VMs using an ssh certificate
-    long-summary: Users can login using AAD issued certificates or using local user credentials. We recommend login using AAD issued certificates. To SSH as a local user in the target machine, you must provide the local user name using the --local-user argument.
+    short-summary: SSH into Azure VMs or Arc Servers.
+    long-summary: Users can login using AAD issued certificates or using local user credentials. We recommend login using AAD issued certificates. To SSH using local user credentials, you must provide the local user name using the --local-user parameter.
     examples:
-        - name: Give a resource group and VM to SSH to
+        - name: Give a resource group name and machine name to SSH using AAD issued certificates
           text: |
-            az ssh vm --resource-group myResourceGroup --vm-name myVm
+            az ssh vm --resource-group myResourceGroup --name myVM
 
-        - name: Give the public IP (or hostname) of a VM to SSH to
+        - name: Give the public IP (or hostname) of a VM to SSH using AAD issued certificates
           text: |
             az ssh vm --ip 1.2.3.4
             az ssh vm --hostname example.com
@@ -32,33 +32,51 @@
           text: |
             az ssh vm --ip 1.2.3.4 -- -A -o ForwardX11=yes
 
-        - name: Give a local user name to SSH using local user credentials on the target machine using certificate based authentication.
+        - name: Give the Resource Type of the target. Useful when there is an Azure VM and an Arc Server with the same name in the same resource group. Resource type can be either "Microsoft.HybridCompute" for Arc Servers or "Microsoft.Compute" for Azure Virtual Machines.
           text: |
-            az ssh vm --local-user username --ip 1.2.3.4 --certificate-file cert.pub --private-key key
+            az ssh vm --resource-type [Microsoft.Compute|Microsoft.HybridCompute] --resource-group myResourceGroup --name myVM
 
-        - name: Give a local user name to SSH using local user credentials on the target machine using key based authentication.
+        - name: Give a local user name to SSH with local user credentials using certificate based authentication.
           text: |
-            az ssh vm --local-user username --resource-group myResourceGroup --vm-name myVM --private-key-file key
+            az ssh vm --local-user username --ip 1.2.3.4 --certificate-file cert.pub --private-key-file key
 
-        - name: Give a local user name to SSH using local user credentials on the target machine using password based authentication.
+        - name: Give a local user name to SSH with local user credentials using key based authentication.
           text: |
-            az ssh vm --local-user username --ip 1.2.3.4
+            az ssh vm --local-user username --resource-group myResourceGroup --name myVM --private-key-file key
+
+        - name: Give a local user name to SSH with local user credentials using password based authentication.
+          text: |
+            az ssh vm --local-user username --resource-group myResourceGroup --name myArcServer
+
+        - name: Give a SSH Client Folder to use the ssh executables in that folder, like ssh-keygen.exe and ssh.exe. If not provided, the extension attempt to use pre-installed OpenSSH client (in that case, ensure OpenSSH client is installed and the Path environment variable is set correctly).
+          text: |
+            az ssh vm --resource-group myResourceGroup --name myVM --ssh-client-folder "C:\\Program Files\\OpenSSH"
 """
 
 helps['ssh config'] = """
     type: command
-    short-summary: Create an SSH config for resources (Azure VMs, etc) which can then be used by clients that support OpenSSH configs and certificates
-    long-summary: Other software (git/rsync/etc) that support setting an SSH command can be set to use the config file by setting the command to 'ssh -F /path/to/config' e.g. rsync -e 'ssh -F /path/to/config'
+    short-summary: Create an SSH config for resources (Azure VMs, Arc Servers, etc) which can then be used by clients that support OpenSSH configs and certificates
+    long-summary: Other software (git/rsync/etc) that support setting an SSH command can be set to use the config file by setting the command to 'ssh -F /path/to/config' e.g. rsync -e 'ssh -F /path/to/config'.  Users can create ssh config files that use AAD issued certificates or local user credentials.
     examples:
-        - name: Give a resource group and VM for which to create a config, and save in a local file
+        - name: Give the resource group and machine name for which to create a config using AAD issued certificates, save in a local file, and then ssh into that resource
           text: |
-            az ssh config --resource-group myResourceGroup --vm-name myVm --file ./sshconfig
+            az ssh config --resource-group myResourceGroup --name myVm --file ./sshconfig
+            ssh -F ./sshconfig myResourceGroup-myVM
 
-        - name: Give the public IP (or hostname) of a VM for which to create a config and then ssh
+        - name: Give the public IP (or hostname) of an Azure VM for which to create a config and then ssh into that VM
           text: |
             az ssh config --ip 1.2.3.4 --file ./sshconfig
             ssh -F ./sshconfig 1.2.3.4
 
+        - name: Give a local user to create a config using local user credentials, save in local file, and then ssh into that resource
+          text: |
+            az ssh config --resource-group myResourceGroup --name myMachine --local-user username --certificate-file cert --private-key-file key --file ./sshconfig
+            ssh -F ./sshconfig MyResourceGroup-myMachine-username
+
+        - name: Give Keys Destination Folder to store the generated keys and certificates. If not provided, SSH keys are stored in new folder "az_ssh_config" next to the config file.
+          text: |
+            az ssh config --ip 1.2.3.4 --file ./sshconfig --keys-destination-folder /home/user/mykeys
+
         - name: Create a generic config for use with any host
           text: |
             #Bash
@@ -72,6 +90,14 @@
             az ssh config --ip \\* --file ./sshconfig
             rsync -e 'ssh -F ./sshconfig' -avP directory/ myvm:~/directory
             GIT_SSH_COMMAND="ssh -F ./sshconfig" git clone myvm:~/gitrepo
+
+        - name: Give SSH Client Folder to use the ssh executables in that folder. If not provided, the extension attempt to use pre-installed OpenSSH client (in that case, ensure OpenSSH client is installed and the Path environment variable is set correctly).
+          text: |
+            az ssh config --file ./sshconfig --resource-group myResourceGroup --name myMachine --ssh-client-folder "C:\\Program Files\\OpenSSH"
+
+        - name: Give the Resource Type of the target. Useful when there is an Azure VM and an Arc Server with the same name in the same resource group. Resource type can be either "Microsoft.HybridCompute" for Arc Servers or "Microsoft.Compute" for Azure Virtual Machines.
+          text: |
+            az ssh config --resource-type [Microsoft.Compute|Microsoft.HybridCompute] --resource-group myResourceGroup --name myVM --file ./myconfig
 """
 
 helps['ssh cert'] = """
@@ -82,3 +108,37 @@
           text: |
             az ssh cert --public-key-file ./id_rsa.pub --file ./id_rsa-aadcert.pub
 """
+
+helps['ssh arc'] = """
+    type: command
+    short-summary: SSH into Azure Arc Servers
+    long-summary: Users can login using AAD issued certificates or using local user credentials. We recommend login using AAD issued certificates as azure automatically rotate SSH CA keys. To SSH as a local user in the target machine, you must provide the local user name using the --local-user argument.
+    examples:
+        - name: Give a resource group name and machine name to SSH using AAD issued certificates
+          text: |
+            az ssh arc --resource-group myResourceGroup --name myMachine
+
+        - name: Using a custom private key file
+          text: |
+            az ssh arc --resource-group myResourceGroup --name myMachine --private-key-file key --public-key-file key.pub
+
+        - name: Using additional ssh arguments
+          text: |
+            az ssh arc --resource-group myResourceGroup --name myMachine -- -A -o ForwardX11=yes
+
+        - name: Give a local user name to SSH with local user credentials using certificate based authentication.
+          text: |
+            az ssh arc --local-user username --resource-group myResourceGroup --name myMachine --certificate-file cert.pub --private-key-file key
+
+        - name: Give a local user name to SSH with local user credentials using key based authentication.
+          text: |
+            az ssh arc --local-user username --resource-group myResourceGroup --name myMachine --private-key-file key
+
+        - name: Give a local user name to SSH with local user credentials using password based authentication.
+          text: |
+            az ssh arc --local-user username --resource-group myResourceGroup --name myMachine
+
+        - name: Give a SSH Client Folder to use the ssh executables in that folder, like ssh-keygen.exe and ssh.exe. If not provided, the extension attempt to use pre-installed OpenSSH client (ensure OpenSSH client is installed and the Path environment variable is set correctly).
+          text: |
+            az ssh arc --resource-group myResourceGroup --name myMachine --ssh-client-folder "C:\\Program Files\\OpenSSH"
+"""

src/ssh/azext_ssh/_params.py

@@ -19,9 +19,19 @@ def load_arguments(self, _):
         c.argument('cert_file', options_list=['--certificate-file', '-c'],
                    help='Path to a certificate file used for authentication when using local user credentials.')
         c.argument('port', options_list=['--port'], help='SSH port')
+        c.argument('resource_type', options_list=['--resource-type'],
+                   help='Resource type should be either Microsoft.Compute or Microsoft.HybridCompute',
+                   completer=["Microsoft.HybridCompute", "Microsoft.Compute"])
         c.argument('ssh_client_folder', options_list=['--ssh-client-folder'],
                    help='Folder path that contains ssh executables (ssh.exe, ssh-keygen.exe, etc). '
                    'Default to ssh pre-installed if not provided.')
+        c.argument('delete_credentials', options_list=['--force-delete-credentials', '--delete-private-key'],
+                   help=('This is an internal argument. This argument is used by Azure Portal to provide a one click '
+                         'SSH login experience in Cloud shell.'),
+                   deprecate_info=c.deprecate(hide=True), action='store_true')
+        c.argument('ssh_proxy_folder', options_list=['--ssh-proxy-folder'],
+                   help=('Path to the folder where the ssh proxy should be saved. '
+                         'Default to .clientsshproxy folder in user\'s home directory if not provided.'))
         c.positional('ssh_args', nargs='*', help='Additional arguments passed to OpenSSH')
 
     with self.argument_context('ssh config') as c:
@@ -38,8 +48,13 @@ def load_arguments(self, _):
                    help='Overwrites the config file if this flag is set')
         c.argument('credentials_folder', options_list=['--keys-destination-folder', '--keys-dest-folder'],
                    help='Folder where new generated keys will be stored.')
+        c.argument('port', options_list=['--port'], help='SSH Port')
+        c.argument('resource_type', options_list=['--resource-type'],
+                   help='Resource type should be either Microsoft.Compute or Microsoft.HybridCompute')
         c.argument('cert_file', options_list=['--certificate-file', '-c'], help='Path to certificate file')
-        c.argument('port', options_list=['--port'], help='SSH port')
+        c.argument('ssh_proxy_folder', options_list=['--ssh-proxy-folder'],
+                   help=('Path to the folder where the ssh proxy should be saved. '
+                         'Default to .clientsshproxy folder in user\'s home directory if not provided.'))
         c.argument('ssh_client_folder', options_list=['--ssh-client-folder'],
                    help='Folder path that contains ssh executables (ssh.exe, ssh-keygen.exe, etc). '
                    'Default to ssh pre-installed if not provided.')
@@ -53,3 +68,23 @@ def load_arguments(self, _):
         c.argument('ssh_client_folder', options_list=['--ssh-client-folder'],
                    help='Folder path that contains ssh executables (ssh.exe, ssh-keygen.exe, etc). '
                    'Default to ssh pre-installed if not provided.')
+
+    with self.argument_context('ssh arc') as c:
+        c.argument('vm_name', options_list=['--vm-name', '--name', '-n'], help='The name of the Arc Server')
+        c.argument('public_key_file', options_list=['--public-key-file', '-p'], help='The RSA public key file path')
+        c.argument('private_key_file', options_list=['--private-key-file', '-i'], help='The RSA private key file path')
+        c.argument('local_user', options_list=['--local-user'],
+                   help='The username for a local user')
+        c.argument('cert_file', options_list=['--certificate-file', '-c'], help='Path to certificate file')
+        c.argument('port', options_list=['--port'], help='Port to connect to on the remote host.')
+        c.argument('ssh_client_folder', options_list=['--ssh-client-folder'],
+                   help='Folder path that contains ssh executables (ssh.exe, ssh-keygen.exe, etc). '
+                   'Default to ssh pre-installed if not provided.')
+        c.argument('delete_credentials', options_list=['--force-delete-credentials', '--delete-private-key'],
+                   help=('This is an internal argument. This argument is used by Azure Portal to provide a one click '
+                         'SSH login experience in Cloud shell.'),
+                   deprecate_info=c.deprecate(hide=True), action='store_true')
+        c.argument('ssh_proxy_folder', options_list=['--ssh-proxy-folder'],
+                   help=('Path to the folder where the ssh proxy should be saved. '
+                         'Default to .clientsshproxy folder in user\'s home directory if not provided.'))
+        c.positional('ssh_args', nargs='*', help='Additional arguments passed to OpenSSH')

src/ssh/azext_ssh/commands.py

@@ -10,3 +10,4 @@ def load_command_table(self, _):
         g.custom_command('vm', 'ssh_vm')
         g.custom_command('config', 'ssh_config')
         g.custom_command('cert', 'ssh_cert')
+        g.custom_command('arc', 'ssh_arc')