Over a million developers have joined DZone.
Platinum Partner

Generating SSH key pair for Linux VM deployment on Windows Azure

· Cloud Zone

The Cloud Zone is brought to you in partnership with Mendix. Better understand the aPaaS landscape and how the right platform can accelerate your software delivery cadence and capacity with the Gartner 2015 Magic Quadrant for Enterprise Application Platform as a Service.

Linux deployment on Windows Azure requires PEM or DER encoded x509 public key at the provisioning time to enable authenticated remote login through SSH. This  post is complimentary to http://www.windowsazure.com/en-us/manage/linux/how-to-guides/ssh-into-linux/ and encapsulates key generation into a simple shell script on both Linux and Windows.

In this write up, we will generate a self-signed public/private kley pair for the purpose of testing using openssl to be used during the provisioning of Linux VM. The generated private key can be used to connect to Linux using ssh command from within Linux or use Putty.exe as SSH client in either Linux or Windows.

In this write up, “Linux” and “Ubuntu” are used interchangeably; Ubuntu 11.10 was used to test this process. Here are the detailed steps for generating Windows Azure compatible SSH key pair on Ubuntu and Windows:

Linux (Ubuntu)

On a local Linux machine, install openssl if not already present using the following command:
apt-get install openssl 

The above command should bring openssl to the latest version. The key generation process described here has been tested with OpenSSL 1.0.1c.

Verify the installed version by executing the shell command:
openssl version –v
The following is the bash script for key pair generation; let us save this into a file named gensshkey.sh:


#first argument will be used as the key prefix
#second argument is optional and if given will be used as a pass #phrase for DES3 protection of the private key
case $# in
  openssl req -x509  -days 365 -newkey rsa:2048 -keyout $1sshpvt.pem -out $1pub.pem -nodes
  openssl rsa -in $1sshpvt.pem -out $1pvt.pem
  openssl req -x509  -days 365 -newkey rsa:2048 -keyout $1sshpvt.pem -out $1pub.pem -passout pass:$2
  openssl rsa -in $1sshpvt.pem -passin pass:$2 -out $1pvt.pem -des3 -passout pass:$2
  echo "Usage for unprotected private key: gensshkey.sh <key_prefix>"
  echo "Example: gensshkey.sh \"db\""
  echo "Usage for password protected private key: gensshkey.sh <key_prefix> <pass phrase>"
  echo "Example: gensshkey.sh db pass@word1"
echo "generated $1sshpvt.pem, $1pub.pem and $1pvt.pem"
gensshkey.sh takes two command line arguments: key prefix and password as shown below:
gensshkey.sh db pass@word1 

Execution of the openssl command through the above script will prompt for geo and personal information for which defaults can be accepted. The values you supply will not impact the integrity of the keys in anyway. This will generate dbsshkey.pem, dbpvt.pem and dbpub.pem with the private key DES3 encrypted with pass phrase “pass@word1”.

gensshkey.sh can also be used to generate a clear text private key (not recommended for real production use) by leaving out the pass phrase as shown below:

gensshkey.sh db 

dbsshkey.pem generated above can be used with ssh command from within the local Linux box. But first, we need to restrict the permissions to this key file; otherwise ssh will complain that the key is too open. Following is the command sequence:

chmod 600 dhsshkey.pem
ssh -i dbsshkey.pem -p <ssh_port> <machine_name.cloudapp.net

If you prefer putty.exe as a SSH client, use dbpvt.pem to convert it into .PPK format (from the “Conversions –> Import Key –> Save Private Key menu sequence in the tool bar) using puttygen.exe and use the .ppk file with putty.exe to authenticate the client. Usage of puttygen.exe is documented here: http://www.windowsazure.com/en-us/manag e/linux/how-to-guides/ssh-into-linux/.

Linux VM provisioning process is documented at: http://www.windowsazure.com/en-us/manage/linux/tutorials/virtual-machine-from-gallery/. During the step 4 of the provisioning process shown at the above page, check “SECURE USING SSH KEY” and provide the public key file (eg. dbpub.pem generated above) so that the provisioning engine can inject public key into the .ssh/authorized_keys folder.

Windows Server 2008 R2/Windows 7

If you are planning to use generate SSH keys on a Windows client (this was tested on Windows Server 2008 R2; it should work on Windows 7 as well) and use putty.exe on Windows to SSH into an Azure hosted Linux box, here is a simple shell script to help with the keys.

Windows binaries of the openssl can be obtained from http://www.openssl.org/related/binaries.html. The following batch file simplifies the usage of openssl which we will save it as gensshkey_win.cmd.


@echo off
if "%1" == "" goto error
if "%2" == "" goto nodes
openssl req -x509 -config C:\OpenSSL-Win64\bin\openssl.cfg -days 365 -newkey rsa:2048 -keyout %1sshkey.pem -out %1pub.pem -passout pass:%2
openssl rsa -in %1sshkey.pem -passin pass:%2 -out %1pvt.pem -des3 -passout pass:%2
echo "generated" %1sshkey.pem, %1pub.pem and %1pvt.pem
goto eof

openssl req -x509 -config C:\OpenSSL-Win64\bin\openssl.cfg -days 365 -newkey rsa:2048 -keyout %1sshkey.pem -out %1pub.pem -nodes
openssl rsa -in %1sshkey.pem -out %1pvt.pem
echo "generated" %1sshkey.pem, %1pub.pem and %1pvt.pem
goto eof

echo "usage: gensshkey_win <key prefix> <optional pass phrase>"
echo "key prefix used to prefix the generated files; use a prefix that represent your key usage"
echo "example: gensshkey_win db pass@word1
echo "example: gensshkey_win db


 Execute the following command to generate a pass phrase protected key pair:

gensshkey_win.cmd db pass@word1 

Execution of the openssl through the above command will prompt for geo and personal information as mentioned previously; just hit ENTER if you are ok with the defaults.

This will generate dbsshkey.pem, dbpvt.pem and dbpub.pem with the private key DES3 encrypted with pass phrase “pass@word1” similar to the openssl process on Linux.

For clear text private key, invoke the above shell script with just the prefix as shown below.

gensshkey_win.cmd db

dbsshkey.pem thus generated can be used from within Linux to connect to other Linux instances using ssh command. dbpvt.pem can be used to convert it to .PPK format through puttygen.exe for using  putty.exe usage as the SSH client on Windows and Linux.

For more Linux on Windows Azure related information visit: http://www.windowsazure.com/en-us/manage/linux/.

The Cloud Zone is brought to you in partnership with Mendix. Discover how Mendix for Mobile App Deveopment makes it incredibly fast and easy for any developer to build engaging multi-channel apps.


Published at DZone with permission of Hanu Kommalapati , DZone MVB .

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}