Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • User IDs & PAL
    • Service principals & PAL
    • CI/CD pipelines & PAL
    • Creating a dedicated PAL service principal
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Azure Arc
  3. Azure Arc-enabled Servers
  4. Proctor guides
  5. SSH

Table of Contents

  • Linux
    • Host setup
    • Create the endpoint
    • Local ID
    • AAD auth
  • Stretch

SSH

Configure SSH for your Azure Arc-enabled Servers.

Table of Contents

  • Linux
    • Host setup
    • Create the endpoint
    • Local ID
    • AAD auth
  • Stretch

Linux

Host setup

  1. Log onto each host

    E.g.

    ssh onpremadmin@onprem-193a18cb-ubuntu-01.northeurope.cloudapp.azure.com -i ~/.ssh/citadel

  2. Install aadsshlogin (optional)

    Can login on with local ID without this by the way.

    sudo apt update && sudo apt install aadsshlogin

    Will add a custom policy to install the extension.

  3. Add port 22 to incoming connections list

    sudo azcmagent config set incomingconnections.ports 22

  4. Exit

    exit

Create the endpoint

  1. Variables

    vm=ubuntu-01

    vmId=$(az connectedmachine show --name $vm --resource-group arc_pilot --query id --output tsv)

  2. Create the endpoint

    az rest --method \
  put --uri $vmId/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview \
  --body '{"properties": {"type": "default"}}'

Local ID

  1. Connect with local

    az ssh arc --local-user onpremadmin --resource-group arc_pilot --name ubuntu-01 --private-key-file ~/.ssh/citadel

    Expected prompt: onpremadmin@ubuntu-01:~$.

    Set the private key file to the right one.

AAD auth

  1. RBAC assignment

    Need either of these on the Arc VM

    • Virtual Machine Administrator Login
    • Virtual Machine User Login

  2. Connect with AAD

    az ssh arc --resource-group arc_pilot --name ubuntu-01

    Expected prompt: richeney@azurecitadel.com@ubuntu-01:~$

Stretch

Follow the Code Tunnels as a bonus.

  1. Install & configure

    wget https://code.visualstudio.com/sha/download?build=stable\&os=cli-alpine-x64 -O /tmp/code.tar.gz
sudo tar -zxvf /tmp/code.tar.gz -C /usr/local/bin && rm /tmp/code.tar.gz
code tunnel --name $(hostname) --accept-server-license-terms

If they ask, we can delete the public IP, or remove them from the array of permitted source IP addresses.

Source: https://www.azurecitadel.com/arc/servers/ssh/proctor/
Printed:
Monitoring SSH Windows Admin Center