az ssh arc connection issue using Service Principal

[joeldiaslinux]

Describe the bug

When logged in as a Service Principal, the "az ssh arc" command only functions when .azure/msal_token_cache.json is either empty or absent.
The issue can be resolved by either deleting the .azure/msal_token_cache.json file, or specifically removing the entry "-login.microsoftonline.com-accesstoken-redacted-redacted-https://pas.windows.net/checkmyaccess/linux/.default" from within the .azure/msal_token_cache.json file

Related command

$ az login --service-principal -u redacted -p redacted --tenant redacted

$ az ssh arc --resource-group MYRESOURCEGROUP --name my-linux-server-rocky8

Errors

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Permissions 0644 for '/tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub' are too open.

Issue script & Debug output

cli.knack.cli: Command arguments: ['ssh', 'arc', '--resource-group', 'MYRESOURCEGROUP', '--name', 'my-linux-server-rocky8', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f9d777d0040>, <function OutputProducer.on_global_arguments at 0x7f9d7777e160>, <function CLIQuery.on_global_arguments at 0x7f9d777b7c40>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ssh': ['azext_ssh']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: ssh 0.067 1 4 /home/service-principal/.azure/cliextensions/ssh
cli.azure.cli.core: Total (1) 0.067 1 4
cli.azure.cli.core: Loaded 1 groups, 4 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : ssh arc
cli.azure.cli.core: Command table: ssh arc
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f9d76a79c60>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/service-principal/.azure/commands/2024-04-25.11-34-46.ssh_arc.3588.log'.
az_command_data_logger: command args: ssh arc --resource-group {} --name {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7f9d76891f80>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7f9d76892020>, <function register_cache_arguments..add_cache_arguments at 0x7f9d76892160>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f9d7777e200>, <function CLIQuery.handle_query_parameter at 0x7f9d777b7ce0>, <function register_ids_argument..parse_ids_arguments at 0x7f9d768920c0>]
az_command_data_logger: extension name: ssh
az_command_data_logger: extension version: 2.0.3
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ResourceManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/service-principal/.azure/service_principal_entries.json', encrypt=False
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/service-principal/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/service-principal/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com//discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com//v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com//kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msal.telemetry: Generate or reuse correlation_id: 86935138-1bd8-4c92-98ce-9c277b116bfa
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: https://login.microsoftonline.com:443 "POST //oauth2/v2.0/token HTTP/1.1" 200 1473
msal.token_cache: event={
"client_id": "586ecbe2-8c2b-4370-83e7-",
"data": {
"claims": "{"access_token": {"xms_cc": {"values": ["CP1"]}}}",
"scope": [
"https://management.core.windows.net//.default"
]
},
"environment": "login.microsoftonline.com",
"grant_type": "client_credentials",
"params": null,
"response": {
"access_token": "",
"expires_in": 3599,
"ext_expires_in": 3599,
"token_type": "Bearer"
},
"scope": [
"https://management.core.windows.net//.default"
],
"token_endpoint": "https://login.microsoftonline.com//oauth2/v2.0/token"
}
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions//resourceGroups/MYRESOURCEGROUP/resources?$filter=name%20eq%20%27my-linux-server-rocky8%27&api-version=2022-09-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': ''
cli.azure.cli.core.sdk.policies: 'CommandName': 'ssh arc'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --name --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.59.0 (DEB) azsdk-python-core/1.28.0 Python/3.11.8 (Linux-5.15.146.1-microsoft-standard-WSL2-x86_64-with-glibc2.31)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions//resourceGroups/MYRESOURCEGROUP/resources?$filter=name%20eq%20%27my-linux-server-rocky8%27&api-version=2022-09-01 HTTP/1.1" 200 433
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '11998'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'caa30191-66f6-4fc5-bf3e-b917189b8cf7'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'caa30191-66f6-4fc5-bf3e-b917189b8cf7'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'FRANCESOUTH:20240425T093446Z:caa30191-66f6-4fc5-bf3e-b917189b8cf7'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 25 Apr 2024 09:34:45 GMT'
cli.azure.cli.core.sdk.policies: 'Content-Length': '433'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"value":[{"id":"/subscriptions//resourceGroups/MYRESOURCEGROUP/providers/Microsoft.HybridCompute/machines/my-linux-server-rocky8","name":"my-linux-server-rocky8","type":"Microsoft.HybridCompute/machines","location":"francecentral","identity":{"principalId":"","tenantId":"","type":"SystemAssigned"},"tags":{}}]}
cli.azext_ssh.resource_type_utils: Target Resource Type: Microsoft.HybridCompute/machines
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com//discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com//v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com//kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 3accb4bc-c521-496e-be3c-f9a28b13d01b
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions//resourceGroups/MYRESOURCEGROUP/providers/Microsoft.HybridCompute/machines/my-linux-server-rocky8?api-version=2022-11-10'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': ''
cli.azure.cli.core.sdk.policies: 'CommandName': 'ssh arc'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --name --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.59.0 (DEB) azsdk-python-core/1.28.0 Python/3.11.8 (Linux-5.15.146.1-microsoft-standard-WSL2-x86_64-with-glibc2.31)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions//resourceGroups/MYRESOURCEGROUP/providers/Microsoft.HybridCompute/machines/my-linux-server-rocky8?api-version=2022-11-10 HTTP/1.1" 200 2994
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '2994'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '11999'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'd4fbcb37-772b-4d29-942d-99657f7dd9a6'
cli.azure.cli.core.sdk.policies: 'Server': 'Kestrel'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'd79770b5-8f9d-4dcb-84ba-5738e4d7e888'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'FRANCESOUTH:20240425T093447Z:d79770b5-8f9d-4dcb-84ba-5738e4d7e888'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 25 Apr 2024 09:34:46 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions//resourceGroups/MYRESOURCEGROUP/providers/Microsoft.HybridCompute/machines/my-linux-server-rocky8","name":"my-linux-server-rocky8","location":"francecentral","tags":{},"identity":{"type":"SystemAssigned","principalId":"","tenantId":""},"type":"Microsoft.HybridCompute/machines","properties":{"provisioningState":"Succeeded","agentVersion":"1.39.02628.1431","status":"Connected","lastStatusChange":"2024-04-25T09:28:19.0852132Z","errorDetails":[],"displayName":"my-linux-server-rocky8","machineFqdn":"my-linux-server-rocky8","osName":"linux","osVersion":"4.18.0-477.27.1.el8_8.x86_64","osType":"linux","osProfile":{"computerName":"my-linux-server-rocky8"},"vmId":"9f12c7e7-5e53-46c3-87b8-42701e713e29","vmUuid":"624fbf78-b321-4357-b178-6920e6c91d21","clientPublicKey":"MIIBCgKCAQEAtleHU/g5TSMxg5GQ4ydtXHVpDPMkwjVXH45PS4apWcT8eDPHtY1tnGwaiGM1IbuIVK4Bv44IKKAeRRhHcbWVGhifjYXq4OEyCPuL3p8aFX8yNJYuR2Uq384kUKQJQV5OuvhKGPzCWgjdmDujeO9boe1XzAETs1zhEQYSTdmLZLvMTanVM9wsSadLzSPTzRv3qIG34/SaaxGX+jAV8GeWtv0mw640MJibRV8iKkfrQsO7+nyo/KFlHJtn+Ah7XMgfzeasnv5AN8CofgQrYc0tAuRXC6Hb/kxiAY68iKAYmKuZNtLV0i93WAY39T6UEV+L5w1pedPk+eoW2Z1HqHNDxQIDAQAB","osSku":"Rocky Linux 8.8 (Green Obsidian)","domainName":"unknown","adFqdn":"unknown","dnsFqdn":"my-linux-server-rocky8.emea-west-pdc-z01.uc.internal","mssqlDiscovered":"false","cloudMetadata":{"provider":"N/A"},"detectedProperties":{"cloudprovider":"N/A","coreCount":"1","logicalCoreCount":"1","manufacturer":"OpenStack Foundation","model":"OpenStack Nova","mssqldiscovered":"false","processorCount":"1","processorNames":"Intel(R) Xeon(R) Gold 6252N CPU @ 2.30GHz","productType":"unknown","serialNumber":"unknown","totalPhysicalMemoryInBytes":"3848085504","totalPhysicalMemoryInGigabytes":"3"},"agentConfiguration":{"proxyUrl":"","incomingConnectionsPorts":[],"extensionsAllowList":[],"extensionsBlockList":[],"proxyBypass":[],"extensionsEnabled":"true","guestConfigurationEnabled":"true","configMode":"full"},"serviceStatuses":{"extensionService":{"status":"active","startupType":"enabled"},"guestConfigurationService":{"status":"active","startupType":"enabled"}}},"resources":[{"id":"/subscriptions//resourceGroups/MYRESOURCEGROUP/providers/Microsoft.HybridCompute/machines/my-linux-server-rocky8/extensions/AADSSHLogin","name":"AADSSHLogin","type":"Microsoft.HybridCompute/machines/extensions","location":"francecentral","properties":{"publisher":"Microsoft.Azure.ActiveDirectory","type":"AADSSHLoginForLinux","typeHandlerVersion":"1.0.2644.1","autoUpgradeMinorVersion":false,"enableAutomaticUpgrade":true,"settings":{},"provisioningState":"Succeeded","instanceView":{"name":"AADSSHLogin","type":"AADSSHLoginForLinux","typeHandlerVersion":"1.0.2644.1","status":{"code":"0","level":"Information","message":"Extension Message: Done"}}}}]}
cli.azext_ssh.target_os_utils: Target OS Type: linux
cli.azext_ssh.ssh_utils: Running ssh-keygen command ssh-keygen -f /tmp/aadsshcert40pdyv7c/id_rsa -t rsa -q -N
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com//discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com//v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com//kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://pas.windows.net/CheckMyAccess/Linux/.default',), kwargs={'data': {'token_type': 'ssh-cert', 'req_cnf': '{"kty": "RSA", "n": "", "e": "AQAB", "kid": "1a4135d15efc56baef04a7105a280394404131354d3a9e0b5a3be9c746784cc8"}', 'key_id': '1a4135d15efc56baef04a7105a280394404131354d3a9e0b5a3be9c746784cc8'}}
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://pas.windows.net/CheckMyAccess/Linux/.default',), kwargs={'data': {'token_type': 'ssh-cert', 'req_cnf': '{"kty": "RSA", "n": "", "e": "AQAB", "kid": "1a4135d15efc56baef04a7105a280394404131354d3a9e0b5a3be9c746784cc8"}', 'key_id': '1a4135d15efc56baef04a7105a280394404131354d3a9e0b5a3be9c746784cc8'}}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 93b43d2b-9af3-4991-97b1-3299774a4663
cli.azext_ssh.custom: Generating certificate /tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub
cli.azext_ssh.ssh_utils: Running ssh-keygen command ssh-keygen -L -f /tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub
cli.azext_ssh.ssh_utils: Running ssh-keygen command ssh-keygen -L -f /tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub
cli.azext_ssh.connectivity_utils: Platform OS: Linux
cli.azext_ssh.connectivity_utils: Platform architecture: x86_64
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com//discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com//v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com//kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 2a7d29f1-e27d-4d9d-8dcd-dda157e80cda
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions//resourceGroups/MYRESOURCEGROUP/providers/Microsoft.HybridCompute/machines/my-linux-server-rocky8/providers/Microsoft.HybridConnectivity/endpoints/default/listCredentials?expiresin=3600&api-version=2023-03-15'
cli.azure.cli.core.sdk.policies: Request method: 'POST'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '22'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': ''
cli.azure.cli.core.sdk.policies: 'CommandName': 'ssh arc'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --name --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.59.0 (DEB) azsdk-python-core/1.28.0 Python/3.11.8 (Linux-5.15.146.1-microsoft-standard-WSL2-x86_64-with-glibc2.31)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"serviceName": "SSH"}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "POST /subscriptions//resourceGroups/MYRESOURCEGROUP/providers/Microsoft.HybridCompute/machines/my-linux-server-rocky8/providers/Microsoft.HybridConnectivity/endpoints/default/listCredentials?expiresin=3600&api-version=2023-03-15 HTTP/1.1" 200 3583
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '3583'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199'
cli.azure.cli.core.sdk.policies: 'x-ms-providerhub-traffic': 'True'
cli.azure.cli.core.sdk.policies: 'mise-correlation-id': '160dacee-08ea-4c6e-8bc4-85403e3e7a51'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '7d1c05b0-a96d-4297-b55c-a236a9b5aa3a'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'a8a34e91-e77d-4e0e-b8c2-d0fcfd447845'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'FRANCESOUTH:20240425T093502Z:a8a34e91-e77d-4e0e-b8c2-d0fcfd447845'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 25 Apr 2024 09:35:02 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"relay":{"namespaceName":"azgn-francecentral-public-1p-fcpar20-003","namespaceNameSuffix":"servicebus.windows.net","hybridConnectionName":"microsoft.hybridcompute/machines/6af86a579a88611e322649ed2d161c335772ee093e9af9fdaeee907ceb509d6c/1714037702628715008/v2","accessKey":"SharedAccessSignature sr=http%3A%2F%2Fazgn-francecentral-public-1p-fcpar20-003.servicebus.windows.net%2Fmicrosoft.hybridcompute%2Fmachines%2F6af86a579a88611e322649ed2d161c335772ee093e9af9fdaeee907ceb509d6c%2F1714037702628715008%2Fv2%2F&sig=iVTYf6s2f2KB%2FF5uZAHPU%2BOx%2BynUIr1ToQBJbFcvFKI%3D&se=1714041902&skn=sender20240423","expiresOn":1714041302,"serviceConfigurationToken":""}}
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com//discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com//v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com//oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com//kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 27037091-cea0-42a2-961f-aef31a71f5fa
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions//resourceGroups/MYRESOURCEGROUP/providers/Microsoft.HybridCompute/machines/my-linux-server-rocky8/providers/Microsoft.HybridConnectivity/endpoints/default/serviceConfigurations/SSH?api-version=2023-03-15'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': ''
cli.azure.cli.core.sdk.policies: 'CommandName': 'ssh arc'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--resource-group --name --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.59.0 (DEB) azsdk-python-core/1.28.0 Python/3.11.8 (Linux-5.15.146.1-microsoft-standard-WSL2-x86_64-with-glibc2.31)'
cli.azure.cli.core.sdk.policies: 'Authorization': '**'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions//resourceGroups/MYRESOURCEGROUP/providers/Microsoft.HybridCompute/machines/my-linux-server-rocky8/providers/Microsoft.HybridConnectivity/endpoints/default/serviceConfigurations/SSH?api-version=2023-03-15 HTTP/1.1" 200 680
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '680'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'ETag': '"95004b39-0000-0e00-0000-661564b40000"'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '11999'
cli.azure.cli.core.sdk.policies: 'x-ms-providerhub-traffic': 'True'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'aa00661a-ffd0-49aa-918a-8e8012295a84'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'b7c2c8de-a7f1-4ffe-8c9e-16c048fce6fb'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'FRANCESOUTH:20240425T093503Z:b7c2c8de-a7f1-4ffe-8c9e-16c048fce6fb'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 25 Apr 2024 09:35:02 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions//resourceGroups/MYRESOURCEGROUP/providers/Microsoft.HybridCompute/machines/my-linux-server-rocky8/providers/Microsoft.HybridConnectivity/endpoints/default/serviceconfigurations/SSH","name":"SSH","type":"microsoft.hybridconnectivity/endpoints/serviceconfigurations","systemData":{"createdBy":"586ecbe2-8c2b-4370-83e7-","createdByType":"Application","createdAt":"2024-04-08T14:01:53.0453591Z","lastModifiedBy":"586ecbe2-8c2b-4370-83e7-","lastModifiedByType":"Application","lastModifiedAt":"2024-04-09T15:54:27.4660206Z"},"properties":{"serviceName":"SSH","port":22,"provisioningState":"Succeeded"}}
cli.azext_ssh.ssh_utils: Running ssh command ssh my-linux-server-rocky8 -l 586ecbe2-8c2b-4370-83e7- -o ProxyCommand="/home/service-principal/.clientsshproxy/sshProxy_linux_amd64_1_3_026031" -i /tmp/aadsshcert40pdyv7c/id_rsa -o CertificateFile="/tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub" -vvv
OpenSSH_8.2p1 Ubuntu-4ubuntu0.11, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Executing proxy command: exec "/home/service-principal/.clientsshproxy/sshProxy_linux_amd64_1_3_026031"
debug1: identity file /tmp/aadsshcert40pdyv7c/id_rsa type 0
debug1: certificate file /tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH compat 0x04000000
debug2: fd 5 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to my-linux-server-rocky8:22 as '586ecbe2-8c2b-4370-83e7-'
debug3: hostkeys_foreach: reading file "/home/service-principal/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/service-principal/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from my-linux-server-rocky8
debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,kex-strict-s-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug3: will use strict KEX ordering
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:5rV76Y/SwZqXW/m/1aZ3N28nET3aV3BRd7ljD7rkHMQ
debug3: hostkeys_foreach: reading file "/home/service-principal/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/service-principal/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from my-linux-server-rocky8
debug1: Host 'my-linux-server-rocky8' is known and matches the ECDSA host key.
debug1: Found key in /home/service-principal/.ssh/known_hosts:1
debug3: send packet: type 21
debug1: resetting send seqnr 3
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub RSA-CERT SHA256:+mDqglCYejp0BhsStvj3Q5J+6oSO+9Z7+tFt2sTek3c explicit
debug1: Will attempt key: /tmp/aadsshcert40pdyv7c/id_rsa RSA SHA256:gp4o/8A+O7IB9V89mh6mwltOsK0lJsfud7SdZ53oysI explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
This is a private computing system network for professional use only.

Private IP: <IP_redacted>

debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub RSA-CERT SHA256:+mDqglCYejp0BhsStvj3Q5J+6oSO+9Z7+tFt2sTek3c explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub RSA-CERT SHA256:+mDqglCYejp0BhsStvj3Q5J+6oSO+9Z7+tFt2sTek3c explicit
debug3: sign_and_send_pubkey: RSA-CERT SHA256:+mDqglCYejp0BhsStvj3Q5J+6oSO+9Z7+tFt2sTek3c
debug1: sign_and_send_pubkey: no separate private key for certificate "/tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub"
debug3: sign_and_send_pubkey: signing using rsa-sha2-512-cert-v01@openssh.com SHA256:+mDqglCYejp0BhsStvj3Q5J+6oSO+9Z7+tFt2sTek3c
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Permissions 0644 for '/tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub' are too open.

It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/tmp/aadsshcert40pdyv7c/id_rsa.pub-aadcert.pub": bad permissions
debug1: Offering public key: /tmp/aadsshcert40pdyv7c/id_rsa RSA SHA256:gp4o/8A+O7IB9V89mh6mwltOsK0lJsfud7SdZ53oysI explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
586ecbe2-8c2b-4370-83e7-@my-linux-server-rocky8: Permission denied (publickey).

Expected behavior

az ssh arc is supposed to work without issue if the .azure/msal_token_cache.json file exists.

Environment Summary

azure-cli 2.61.0
core 2.61.0
telemetry 1.1.0
Extensions:
ssh 2.0.3
Dependencies:
msal 1.28.0
azure-mgmt-resource 23.1.1
Python location '/opt/az/bin/python3'
Extensions directory '/home/sp-azure-arc-linux-pilot/.azure/cliextensions'
Python (Linux) 3.11.8 (main, May 16 2024, 03:47:41) [GCC 9.4.0]
Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[vthiebaut10]

@joeldiaslinux Could you try downgrading the CLI to version 2.59.0, running "az config set core.allow_broker=false", and trying your scenario again? Some other people reported a similar issue in this thread (#28417), and I'd like to validate that the behavior you are seeing is the same

[vthiebaut10]

There is a fix for the issue that will be available in future versions of Azure CLI. We will provide an update once it is available. For now, as a temporary workaround, you can downgrade the Azure CLI version to 2.58.0

[rayluo]

Oops, I accidentally closed this issue, @jiasli . Reopening it to keep track, until a new version of Azure CLI is released.