Export-AzSshConfig
This cmdlet exports an SSH configuration file that can be used to connect to Azure Resources through client applications that support OpenSSH config and certificates. SSH config files can be created that use Microsoft Entra ID issued certificates or local user credentials.
Syntax
Export-AzSshConfig
-ResourceGroupName <String>
-Name <String>
-ConfigFilePath <String>
[-PublicKeyFile <String>]
[-PrivateKeyFile <String>]
[-UsePrivateIp]
[-LocalUser <String>]
[-Port <String>]
[-ResourceType <String>]
[-CertificateFile <String>]
[-Overwrite]
[-KeysDestinationFolder <String>]
[-Force]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Export-AzSshConfig
-Ip <String>
-ConfigFilePath <String>
[-PublicKeyFile <String>]
[-PrivateKeyFile <String>]
[-LocalUser <String>]
[-Port <String>]
[-CertificateFile <String>]
[-Overwrite]
[-KeysDestinationFolder <String>]
[-Force]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Export-AzSshConfig
-ResourceId <String>
-ConfigFilePath <String>
[-PublicKeyFile <String>]
[-PrivateKeyFile <String>]
[-UsePrivateIp]
[-LocalUser <String>]
[-Port <String>]
[-CertificateFile <String>]
[-Overwrite]
[-KeysDestinationFolder <String>]
[-Force]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>] Description
The exported SSH configuration file can be used to connect to Azure Resources by client applications that support OpenSSH config and certificates. Applications such as git and rsync can use configuration file by setting the command to 'ssh -F /path/to/config'. For example: rsync -e 'ssh -F /path/to/config'. Users can create ssh config files that use Microsoft Entra ID issued certificates or local user credentials. Important note: When connecting to Azure Arc resources, this cmdlet requires the Az.Ssh.ArcProxy module to also be installed in the client machine. The cmdlet will attempt to install the module from the PowerShell Gallery, but the user also has the option to install it themselves. It is important that the user also has permission to execute the Proxy files in the Az.Ssh.ArcProxy module, or the connection will fail. You can find the Az.Ssh.ArcServer module in the PowerShell Gallery: https://aka.ms/PowerShellGallery-Az.Ssh.ArcProxy.
Examples
Example 1: Export a SSH configuration file for connecting to a resource using Microsoft Entra ID issued certificates for authentication.
Export-AzSshConfig -ResourceGroupName myRg -Name myMachine -ConfigFilePath ./sshconfig.configWhen a -LocalUser is not supplied, the cmdlet will attempt to create a certificate to login using Microsoft Entra ID. This is currently only supported for resources running Linux OS. When using Microsoft Entra ID to login to resource, the Host name in the configuration entry will be "{resource group name}-{resource name}", or "{ip address}" for Azure VMs.
Example 2: Export a SSH configuration file for connecting to the Public Ip of an Azure Virtual Machine using Microsoft Entra ID issued certificates.
Export-AzSshConfig -Ip 1.2.3.4 -ConfigFilePath ./sshconfig.configExample 3: Export a SSH configuration file for connecting to Local User on Azure Resource using SSH certificates for authentication
Export-AzSshConfig -ResourceGroupName myRg -Name myVm -LocalUser azureuser -CertificateFile ./cert -PrivateKeyFile ./id_rsa -ConfigFilePath ./sshconfig.configWhen using local user credentials to login, the host name in the configuration entry will be "{resource group name}-{resource name}-{username}", or "{ip address}-{username}" for Azure VMs.
Example 4: Export a SSH configuration file for connecting to Local User on Azure Resource using SSH private key for authentication
Export-AzSshConfig -ResourceGroupName myRg -Name myVm -LocalUser azureuser -PrivateKeyFile ./id_rsa -ConfigFilePath ./sshconfig.configExample 5: Export a SSH configuration file for connecting to Local User on Azure Resource using interactive username and password for authentication
Export-AzSshConfig -ResourceGroupName myRg -Name myVm -LocalUser azureuser -ConfigFilePath ./sshconfig.configExample 6: Determine where generated keys and certificates for the certificate will the stored.
Export-AzSshConfig -ResourceGroupName myRg -Name myVm -KeysDestinationFolder /home/user/mykeys -ConfigFilePath ./sshconfig.configGenerated keys and certificates are, by default, stored in "az_ssh_config" directory in the same directory as the config file. The -KeysDestinationFolder parameter allows user to decide where the keys will be stored.
Example 7: Create a generic config for use with any Azure VM.
Export-AzSshConfig -Ip * -ConfigFilePath ./sshconfig.configExample 8: Provide the Resource Type of the target.
Export-AzSshConfig -ResourceGroupName myRg -Name myVm -ResourceType Microsoft.Compute/virtualMachines -ConfigFilePath ./sshconfig.configThis parameter is useful when there is more than one supported resource with the same name in the Resource Group.
Parameters
-CertificateFile
SSH Certificate to be used to authenticate to local user account.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ConfigFilePath
Path to write SSH configuration to.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
| Type: | IAzureContextContainer |
| Aliases: | AzContext, AzureRmContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Force
When connecting to Arc resources, do not prompt for confirmation before updating the allowed port for SSH connection in the Connection Endpoint to match the target port or to install Az.Ssh.ArcProxy module from the PowerShell Gallery, if needed.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Ip
IP Address of target Azure VM.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-KeysDestinationFolder
Directory where generated keys and certificates will be stored.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-LocalUser
Username for a local user in the target resource.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Name
Name of the target Azure Resource.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Overwrite
Overwrite the config file, instead of appending new entry to the end of the file.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Port
Port to connect to on the remote host.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PrivateKeyFile
Path to private key file.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PublicKeyFile
Path to public key file.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ResourceGroupName
Resource group name.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ResourceId
Resource ID of the target resource.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ResourceType
Resource type of the target resource.
| Type: | String |
| Accepted values: | Microsoft.HybridCompute/machines, Microsoft.Compute/virtualMachines, Microsoft.ConnectedVMwarevSphere/virtualMachines, Microsoft.ScVmm/virtualMachines, Microsoft.AzureStackHCI/virtualMachines |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-UsePrivateIp
When connecting to an Azure VM, this flag specifies that it should connect to one of the private IPs of the VM. It requires connectivity to the private IP.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |