Issue with using Bastion - Keyvault's private key as secret login

95098568 20 Reputation points
2023-09-07T12:58:49.7266667+00:00

Hello,

I am trying to deploy a solution that uses Azure Bastion for granting access of guest users to specific linux VM's on a project.

I was exploring at options on how to generate different keypairs for different users.

Example I need a sudo user (localadmin) and another user with a lower set of permissions that can use different Keyvault private keys in order to login.

After it successfully working for the localadmin after using the below commands:
ssh-keygen -t rsa

generating both public and private keys I rename the public key to: authorized_keys and get the value of the private key and create it as a secret using:
az keyvault secret set –vault-name <name of key vault> –name <name of secret> –file <private ssh key > –encoding ascii

That works and users that have the List and Get secrets permissions on the keyvault can securely connect to the VM's using the localadmin with the keyvault private key stored as secret.

However when I try to recreate the same for another user following the same steps, the Bastion login fails and upon searching in var/log files theres just an error stating that the connection could not be authenticated.

Please if you have any suggestions share below.

Thank you in advance !

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,175 questions
Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
247 questions
Accepted answer
  1. Anonymous
    2023-09-15T10:30:54.1733333+00:00

    Forgot to update the thread with the solution I found:
    Created user with home dir

    sudo useradd <user>

    sudo passwd <pass>

    added to sudoers

    sudo usermod <user> -aG sudo

    sudo vi /etc/sudoers

    created their ssh folder

    sudo mkdir /home/<user>/.ssh

    generated keys with the new user

    ssh-keygen -t ed25519

    created authorized_keys file in .ssh and copied pub key

    sudo vi /home/<user>/.ssh/authorized_keys

    changed ownership of file and group to new users

    sudo chown <user>:<group> authorized_keys

    Created AZ key vault secret via AZ CLI

    Created local file with private key values

    Uploaded file to AZ CLI

    az keyvault secret set --vault-name <vault_name> --name <secret_name> --file <file_name>

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest