SSH with AAD creds doesn't work on Linux VM in Azure (permission denied or timeout)

Question

I'm following the instructions on https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux but cannot log in with my AAD creds. I created the VM with a username and password, not with an SSH cert. I keep getting:

Permission denied (publickey)

I cannot log in with my AAD account that has been given the "Virtual Machine Administrator Login" role. When I try via the Azure Cloud Shell, it just times out.

This works if I use the username/password set when the VM was created. If I generate an SSH key and use the "reset password" function on the VM, I can log in by passing my key files.

What am I missing? I've tried this with two different Linux VMs, created from scratch for this purpose.

Full details here: https://github.com/MicrosoftDocs/azure-docs/issues/106462

Answer 1

Wanted to update this ticket with the solution we discovered. We were using privileged accounts in this situation to access the VM. These privileged accounts have the "$" character in them, e.g. myusername$@mydomain.com. Turns out that the "$" character is not supported in UPN. Per Microsoft's rep:

the dollar sign is not in the list of allowed UPN symbols, at least according to the standard we adhered to when wrote the name validation. This explains why the login is not working.

and

Unfortunately, the name becomes a part of the URL for permission and Microsoft Graph calls and $ sign has a special meaning in the URL format and may need to be escaped in several places across the several service calls, so it probably will not be as simple as adding it to the list of allowed UPN characters.

When I tried the AAD login using a "regular" account without any special characters, it worked as expected. Going to mark this as accepted and live to fight another day.

Answer 2

Hello anonanonanon

Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

The error message you shared indicates that SSH authentication method being used is public key authentication. Ansd you also mentioned, you created the VM with a username and password, not with an SSH cert. This suggests that the SSH key authentication method is not properly configured for your Azure AD account.

Try the below troubleshooting steps to see if it helps:

-Log in to the VM using the username/password which you mentioned is successfully working for you. Verify if the SSH SSH configuration is set to allow password authentication. You can check the SSH configuration file (/etc /ssh/ sshd_config) and make sure that the "PasswordAuthentication" setting is set to "yes".

-Ensure that your Azure AD account has been assigned the "Virtual Machine Administrator Login" role for the VM. Do this by checking the VM's Access control (IAM) settings from the Azure portal.

-Try resetting the SSH public key for your Azure AD account. Generate an SSH key pair and add the public key to your Azure AD account. Then, try logging in using SSH with the new key pair.

Ref: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux#configure-ssh-public-key-authentication

Use correct username for your Azure AD account (username@domain.com).

Hope this helps.