次の方法で共有


Command Line Access to Azure VMs – SSH

In a previous post I showed how to configure a service to allow for remote access using PowerShell Remoting. Another way of achieving the same goal is to use SSH.

SSH is capable of more than just remote access – copying files and tunneling are a few of the extra features. I’ll show how to get a SSH daemon working and how to connect to it for a remote session. I haven’t tested other features, let me know if you try anything else.

Cygwin

There are many SSH servers available for Windows. I will use the OpenSSH from Cygwin in this post.

The first task is to install Cygwin. It’s better to install it locally and package Cygwin in the Azure deployment package or create a zip file of the local installation and upload it to your Azure Storage account. The only extra package required is “openssh”.

Role Configuration

There are a few steps to configure a role to run the SSH service. I’ll describe only the main ones here, refer to the sample project at the bottom of the post for a complete working example.

1. Endpoint

The default SSH port is 22 hence the role must define the following endpoint:

   <Endpoints>
    <InputEndpoint name="SSH" protocol="tcp" port="22" localPort="22" />
  </Endpoints>

2. Create a user

You need an account to log in via SSH. Since this account will also be used to run the SSH Windows Service it must be in the Administrators Group.

   net user <username> <password> /add
  net localgroup Administrators <username> /add

3. Grant Privileges

The user account you created must have the required privileges to be used by a Windows Service. I used ntright.exe[2] for granting the SeServiceLogonRight privilege.

4. Fix Unix File Permissions

Because Cygwin was copied to the VM instead of installed the Unix permissions for a few critical files must be fixed. This must be done from within Cygwin via a script.

5. Add the New User to Cygwin

The user account you previously created must be added to the Cygwin users list. Once again this must be done from the Cygwin environment.

6. Create and Start the Service

Cygwin includes a script to configure SSH as a Windows Service - ssh-host-config. After running this script a new service will be available and can be started the regular way or using the cygrunsrv command from Cygwin. These commands must be run using the account created in step 2 [1].

Remote Access

With the SSH enabled service deployed it’s time to connect to it. Using PuTTY simply enter the DNS name of your deployment in the Host Name field:

And if you want to avoid being disconnected because of timeouts you can set PuTTY to keep a heartbeat using any value under 60 seconds:

Then opening a connection will get you access to the VM:

SSH will actually allow you to connect to a service with multiple instances. You will not be able to specify the exact instance though, every new connection will be established to any one of the instances in the service.

Sample Project

This project creates a service with SSH enabled. It expects to find a zip file called cygwin.zip in your storage account. The zip file should contain the Cygwin install directory (e.g. C:\Cygwin).

Before you publish the project you must edit the EnableSSH.cmd and startSSH.sh files and enter the new username and password at the top of both files. There was no easy way to share that information between the Windows batch and the Shell script so it must be entered twice. You must also edit the DownloadBlob.ps1 file and enter your storage account information in the second to last line. You will also need to enter the container name in the same line.

References

  1. Running Azure startup tasks as a real user
  2. Windows Server 2003 Resource Kit Tools

Comments

  • Anonymous
    September 11, 2011
    i try and could not get to work. can you provide detail step

  • Anonymous
    February 01, 2012
    The comment has been removed

  • Anonymous
    February 03, 2012
    Since you can't connect locally I would suspect your SSHd install, you might want to run it locally on your desktop first. Another thought is to confirm the password you are using for the SSH user conforms with the complexity requirements. The remote user won't be created otherwise.

  • Anonymous
    October 22, 2014
    We were looking for a free ssh server for Windows so we could use Packer and Chef Solo to bake new machine images. We tried FreeSSHD but it does not work on Windows Server 2012 R2. It is no longer being maintained. We used OpenSSH downloaded from this site: www.mls-software.com/opensshd.html. Follow the notes for using sshd with public key exchange that is in the side bar. In particular note the following:

  1. With setupssh-6.7p1-1.exe we only needed to change StrictModes no in etcsshd_config
  2. OpenSSH service must be run as Administrator (the user intending to logon. As this was for configuration we used Administrator)
  3. Place the public key in c:usersadministrator.sshauthorized_keys
  4. When you ssh in, use case sensitive user name and explicitly specify the key file unless you used id_rsa for the private key. ssh 12.34.56.78 -l Administrator -i my-keypair.pem