Cloud Zone is brought to you in partnership with:

Technical Architect, experienced in leading tech professionals, Technical Evangelist, Technology Strategist and Technology Consultant at Microsoft Hanu is a DZone MVB and is not an employee of DZone and has posted 7 posts at DZone. You can read more from them at their website. View Full User Profile

Generating SSH key pair for Linux VM deployment on Windows Azure

02.05.2013
| 10952 views |
  • submit to reddit

Linux deployment on Windows Azure requires PEM or DER encoded x509 public key at the provisioning time to enable authenticated remote login through SSH. This  post is complimentary to http://www.windowsazure.com/en-us/manage/linux/how-to-guides/ssh-into-linux/ and encapsulates key generation into a simple shell script on both Linux and Windows.

In this write up, we will generate a self-signed public/private kley pair for the purpose of testing using openssl to be used during the provisioning of Linux VM. The generated private key can be used to connect to Linux using ssh command from within Linux or use Putty.exe as SSH client in either Linux or Windows.

In this write up, “Linux” and “Ubuntu” are used interchangeably; Ubuntu 11.10 was used to test this process. Here are the detailed steps for generating Windows Azure compatible SSH key pair on Ubuntu and Windows:

Linux (Ubuntu)

On a local Linux machine, install openssl if not already present using the following command:
apt-get install openssl 

The above command should bring openssl to the latest version. The key generation process described here has been tested with OpenSSL 1.0.1c.

Verify the installed version by executing the shell command:
openssl version –v
The following is the bash script for key pair generation; let us save this into a file named gensshkey.sh:
gensshkey.sh:

#!/bin/bash
REQUIRED_ARGS=1
E_NOT_ENOUGH_ARGS=65

#first argument will be used as the key prefix
#second argument is optional and if given will be used as a pass #phrase for DES3 protection of the private key
case $# in
  1)
  openssl req -x509  -days 365 -newkey rsa:2048 -keyout $1sshpvt.pem -out $1pub.pem -nodes
  openssl rsa -in $1sshpvt.pem -out $1pvt.pem
  ;;
  2)
  openssl req -x509  -days 365 -newkey rsa:2048 -keyout $1sshpvt.pem -out $1pub.pem -passout pass:$2
  openssl rsa -in $1sshpvt.pem -passin pass:$2 -out $1pvt.pem -des3 -passout pass:$2
  ;;
 
  *)
  echo "Usage for unprotected private key: gensshkey.sh <key_prefix>"
  echo "Example: gensshkey.sh \"db\""
  echo "Usage for password protected private key: gensshkey.sh <key_prefix> <pass phrase>"
  echo "Example: gensshkey.sh db pass@word1"
  exit $E_NOT_ENOUGH_ARGS
  ;;
esac
echo "generated $1sshpvt.pem, $1pub.pem and $1pvt.pem"
gensshkey.sh takes two command line arguments: key prefix and password as shown below:
gensshkey.sh db pass@word1 

Execution of the openssl command through the above script will prompt for geo and personal information for which defaults can be accepted. The values you supply will not impact the integrity of the keys in anyway. This will generate dbsshkey.pem, dbpvt.pem and dbpub.pem with the private key DES3 encrypted with pass phrase “pass@word1”.

gensshkey.sh can also be used to generate a clear text private key (not recommended for real production use) by leaving out the pass phrase as shown below:

gensshkey.sh db 

dbsshkey.pem generated above can be used with ssh command from within the local Linux box. But first, we need to restrict the permissions to this key file; otherwise ssh will complain that the key is too open. Following is the command sequence:

chmod 600 dhsshkey.pem
ssh -i dbsshkey.pem -p <ssh_port> <machine_name.cloudapp.net

If you prefer putty.exe as a SSH client, use dbpvt.pem to convert it into .PPK format (from the “Conversions –> Import Key –> Save Private Key menu sequence in the tool bar) using puttygen.exe and use the .ppk file with putty.exe to authenticate the client. Usage of puttygen.exe is documented here: http://www.windowsazure.com/en-us/manag e/linux/how-to-guides/ssh-into-linux/.

Linux VM provisioning process is documented at: http://www.windowsazure.com/en-us/manage/linux/tutorials/virtual-machine-from-gallery/. During the step 4 of the provisioning process shown at the above page, check “SECURE USING SSH KEY” and provide the public key file (eg. dbpub.pem generated above) so that the provisioning engine can inject public key into the .ssh/authorized_keys folder.

Windows Server 2008 R2/Windows 7

If you are planning to use generate SSH keys on a Windows client (this was tested on Windows Server 2008 R2; it should work on Windows 7 as well) and use putty.exe on Windows to SSH into an Azure hosted Linux box, here is a simple shell script to help with the keys.

Windows binaries of the openssl can be obtained from http://www.openssl.org/related/binaries.html. The following batch file simplifies the usage of openssl which we will save it as gensshkey_win.cmd.


gensshkey_win.cmd:

@echo off
if "%1" == "" goto error
if "%2" == "" goto nodes
openssl req -x509 -config C:\OpenSSL-Win64\bin\openssl.cfg -days 365 -newkey rsa:2048 -keyout %1sshkey.pem -out %1pub.pem -passout pass:%2
openssl rsa -in %1sshkey.pem -passin pass:%2 -out %1pvt.pem -des3 -passout pass:%2
echo "generated" %1sshkey.pem, %1pub.pem and %1pvt.pem
goto eof

:nodes
openssl req -x509 -config C:\OpenSSL-Win64\bin\openssl.cfg -days 365 -newkey rsa:2048 -keyout %1sshkey.pem -out %1pub.pem -nodes
openssl rsa -in %1sshkey.pem -out %1pvt.pem
echo "generated" %1sshkey.pem, %1pub.pem and %1pvt.pem
goto eof

:error
echo "usage: gensshkey_win <key prefix> <optional pass phrase>"
echo "key prefix used to prefix the generated files; use a prefix that represent your key usage"
echo "example: gensshkey_win db pass@word1
echo "example: gensshkey_win db

:eof

 Execute the following command to generate a pass phrase protected key pair:

gensshkey_win.cmd db pass@word1 

Execution of the openssl through the above command will prompt for geo and personal information as mentioned previously; just hit ENTER if you are ok with the defaults.

This will generate dbsshkey.pem, dbpvt.pem and dbpub.pem with the private key DES3 encrypted with pass phrase “pass@word1” similar to the openssl process on Linux.

For clear text private key, invoke the above shell script with just the prefix as shown below.

gensshkey_win.cmd db

dbsshkey.pem thus generated can be used from within Linux to connect to other Linux instances using ssh command. dbpvt.pem can be used to convert it to .PPK format through puttygen.exe for using  putty.exe usage as the SSH client on Windows and Linux.

For more Linux on Windows Azure related information visit: http://www.windowsazure.com/en-us/manage/linux/.




Published at DZone with permission of Hanu Kommalapati, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)