Differences
This shows you the differences between the selected revisions of the page.
| guide_microsoft_azure 2016-12-06 | guide_microsoft_azure 2023-07-03 (current) | ||
| Line 1: | Line 1: | ||
| - | ====== Connecting Securely to Microsoft Azure Service with SFTP or FTPS ====== | + | ====== Connecting securely to Microsoft Azure service with SFTP or FTPS ====== |
| With WinSCP you can easily upload and manage files on your Microsoft Azure instance/service over [[sftp|SFTP protocol]] or [[ftps|FTPS]] protocol. | With WinSCP you can easily upload and manage files on your Microsoft Azure instance/service over [[sftp|SFTP protocol]] or [[ftps|FTPS]] protocol. | ||
| Line 8: | Line 8: | ||
| ===== [[linux]] Connecting to a Linux Virtual Machine with SFTP ===== | ===== [[linux]] Connecting to a Linux Virtual Machine with SFTP ===== | ||
| - | First, collect information about your virtual machine instance. | + | First, collect information about your virtual machine instance, on the [[https://portal.azure.com/|Azure portal]]: |
| - | + | ||
| - | On the new Azure Portal portal.azure.com: | + | |
| * Host name: | * Host name: | ||
| - | * Use IP address you find in the //Public IP address// section in the //Essentials panel//; | + | * Use IP address you find in the //Public IP address// section on your virtual machine instance page; |
| - | * Or setup a DNS name for the virtual machine by clicking on the //Public IP address// section. A //Configuration// page of the IP address opens. There, in the //%%DNS%% name label//, enter a sub domain for your virtual machine. Click //Save// button. A full hostname now appears in the //Public IP address/%%DNS%% name label// section in the //Essentials panel// in a format ''subdomain.location.cloudapp.azure.com''. | + | * Or setup a DNS name for the virtual machine by clicking on the //Configure// link in //%%DNS%% name// section. A //Configuration// panel opens. There, in the //%%DNS%% name label//, enter a sub domain for your virtual machine. Click //Save// button. A full hostname now appears in the //%%DNS%% name// section in a format ''subdomain.location.cloudapp.azure.com''. |
| * Username: Use the username, that you created, when creating the virtual machine. | * Username: Use the username, that you created, when creating the virtual machine. | ||
| - | * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]]. | + | * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]]. \\ To securely acquire a fingerprint of the host key: |
| - | ···* You can locate key fingerprint in server's initial start log, when host keys are generated.((Using ''cloud-init'' script.)) Use the //Boot diagnostics// page and search for ''-----BEGIN %%SSH%% HOST KEY KEYS-----'': \\ <code>-----BEGIN SSH HOST KEY KEYS----- | + | ···* On your virtual machine instance page, use [[https://learn.microsoft.com/en-us/azure/virtual-machines/linux/run-command|//Run command// function]]. You will find it in the virtual machine menu, in //Operations// group. |
| - | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOXBTK0rhHsOnu93hq/YsVBseEvu56WPkCwleBJb4QthaJ7j6Ih4O3dNJHkJ6xv8BxjeTNDoEnwOqJwHXbbmGWw= root@ubuntu | + | ···* Select //"RunShellScript"// command. |
| - | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICv8CYlgCghyr1q+XdGJB560N9FuF4JY4ALHfkR/mktm root@ubuntu | + | * Paste the following command: <code bash>for f in /etc/<nohilite>ssh</nohilite>/ssh_host_*_key; do ssh-keygen -l -f "$f"; done</code> |
| - | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqn2SnEPSysG2n/v3lzSTH/7GwpwhxIyRfp0wYRDu1cIizjyiD7m8GQI2R2OqBGnole/s5c1BkP9/QOTtLGZQVta5kCT8t6Ph7soe7ST8Ee7ok45648zEeKqf4tGfyFTlSJOtNWEh9qAlx79pL7rxC6QphWqYNFDPuTjPigwGsVhznTWry8OJZnJuSQCM07UDP+995yrJLqjZxY6StOMELILamcYO6XdoQvF/a1byVTQnbKO6Mdt8V+J+RY8ibNeYdAjfO1dQuUZIHwf8HiS5nD1+IzeiEH4V6Hr7uDCR+1V6rRj93x/NvPgM6T99urb5Br+GYZ4wVkAsZOTg3OFTT root@ubuntu | + | ····* You will get an output like: <code>256 SHA256:bKKCom8yh5gOuBNWaHHJ3rrnRXmCOAyPN/WximYEPAU /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA) |
| - | -----END SSH HOST KEY KEYS-----</code> \\ Alternatively use ''[[ps>resourcemanager/azurerm.compute/v2.3.0/get-azurermvmbootdiagnosticsdata|Get-AzureRmVMBootDiagnosticsData]]'' command. \\ Look for ECDSA key. The logged fingerprint of the key uses Base64-encoded SHA-256 hash of the key. While WinSCP uses hexadecimal-encoded MD5 hash of the key. To calculate the fingerprint in WinSCP format, execute this command in Windows PowerShell (after inserting the ''ssh-ed25519'' key): \\ <code powershell>Write-Host ([BitConverter]::ToString([Security.Cryptography.MD5]::Create().ComputeHash([Convert]::FromBase64String("AAAAC3NzaC1lZDI1NTE5AAAAICv8CYlgCghyr1q+XdGJB560N9FuF4JY4ALHfkR/mktm"))) -replace "-", ":").ToLower()</code> | + | 256 SHA256:IYeDl+gseYk46Acg4g2mcXGvCr7Z8FqOd+pCJz/KLHg /etc/ssh/ssh_host_ed25519_key.pub (ED25519) |
| - | * If you did not save the fingerprint on the first virtual machine, but you have another Azure virtual machine that you can connect to safely (you know its fingerprints), you can connect to the target instance using private IP from the trusted instance. Staying within a private Azure network keeps you safe from [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. When on the trusted instance terminal, you can use the following commands to collect fingerprints: \\ <code> | + | 2048 SHA256:rA0lIXvHqFq7VHKQCqHwjsj28kw+tO0g/X4KnPpEjMk root@myazurevm (RSA)</code> The set of key types will vary with your virtual machine image. |
| - | $ ssh-keyscan <target_instance_private_ip> > azurekey | + | * When creating new virtual machine, prefer setting up public key authentication by pasting your public key to //%%SSH%% public key// box in the //Basics// step in the //Administrator account// section. If you want to setup public key authentication later, you have to [[guide_public_key|set it up manually]]. |
| - | $ ssh-keygen -l -f azurekey -E md5 | + | |
| - | 2048 MD5:51:3b:ea:96:3d:3c:80:25:ae:b1:9c:a8:4c:76:82:09 <private_ip> (RSA) | + | |
| - | 256 MD5:e5:27:88:a8:bc:f0:64:bb:3a:e7:71:e6:4d:a1:40:ed <private_ip> (ECDSA) | + | |
| - | 256 MD5:cf:35:d4:78:43:48:26:bf:dc:96:f4:63:8e:ee:35:5b <private_ip> (ED25519) | + | |
| - | </code> | + | |
| - | * If you do not have another trusted instance, you can create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using its initial start log. Then collect keys of the target instance by connecting to it from the temporary instance. After that you can discard the temporary instance. | + | |
| - | * When creating new virtual machine, consider setting up public key authentication by pasting your public key to //%%SSH%% public key// box of the //Configure basic settings// steps. If you want to setup public key authentication later, you have to [[guide_public_key|set it up manually]]. | + | |
| - | + | ||
| - | On the old Azure Management Portal manage.windowsazure.com: | + | |
| - | + | ||
| - | * Host name: //DNS name// section on a //Quick glance// sidebar. Host name has a form ''name.cloudapp.net''. | + | |
| - | * Username: Use username ''azureuser''. | + | |
| - | * Host key fingerprint: //%%SSH%% Certificate Thumbprint// section. The thumbprint as shown on dashboard uses a slightly different format than a fingerprint used by WinSCP. Particularly the thumbprint does not include key type and size in the front and lacks colon separators. I.e. WinSCP's fingerprint ''ssh-rsa 2048 aa:bb:cc...'' is equivalent to dashboard thumbprint ''aabbcc...''. | + | |
| - | * Consider [[https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-linux-mac-create-ssh-keys|setting up public key authentication]]. | + | |
| To connect to a virtual machine instance with SFTP, start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | To connect to a virtual machine instance with SFTP, start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | ||
| Line 61: | Line 45: | ||
| * On the //New site// node, select //FTP// protocol and //TLS/SSL Explicit encryption//. | * On the //New site// node, select //FTP// protocol and //TLS/SSL Explicit encryption//. | ||
| * In //Host name// box enter an address of your virtual machine: | * In //Host name// box enter an address of your virtual machine: | ||
| - | * For the new Azure Portal portal.azure.com: | + | * Use IP address you find in the //Public IP address// section on your virtual machine instance page on the [[https://portal.azure.com/|Azure portal]]. |
| - | ······* Use IP address you find in the //Public IP address// section in the //Essentials panel//; | + | ···* Or setup a DNS name for the virtual machine by clicking on the //Configure// link in //%%DNS%% name// section. A //Configuration// panel opens. There, in the //%%DNS%% name label//, enter a sub domain for your virtual machine. Click //Save// button. A full hostname now appears in the //%%DNS%% name// section in a format ''subdomain.location.cloudapp.azure.com''. |
| - | ·····* Or setup a DNS name for the virtual machine by clicking on the //Public IP address// section. A //Configuration// page of the IP address opens. There, in the //%%DNS%% name label//, enter a sub domain for your virtual machine. Click //Save// button. A full hostname now appears in the //Public IP address/%%DNS%% name label// section in the //Essentials panel// in a format ''subdomain.location.cloudapp.azure.com''. | + | |
| - | * On the old Azure Management Portal manage.windowsazure.com: Use hostname in format ''name.cloudapp.net''. You will find it in //DNS Name// section on //Quick glance// sidebar of your virtual machine dashboard. | + | |
| * Enter username and password of an account you want to connect with. Use the account you have specified when creating the instance or any other account you have created on the instance. | * Enter username and password of an account you want to connect with. Use the account you have specified when creating the instance or any other account you have created on the instance. | ||
| * Save your site settings using the //Save// button. | * Save your site settings using the //Save// button. | ||
| Line 72: | Line 54: | ||
| &screenshotpict(azure_windows) | &screenshotpict(azure_windows) | ||
| - | ===== [[website]] Connecting to a Web Site with FTPS ===== | + | ===== [[appservice]] Connecting to an App Service (Web Site) with FTPS ===== |
| - | First, collect information about your web site. | + | First, collect information about your app service (previously web site), on the [[https://portal.azure.com/|Azure portal]]: |
| - | On the new Azure Portal portal.azure.com: | + | ··* Host name: Copy host name from //FTPS hostname// section on the //Overview// page. |
| - | + | * User Name: Copy username from the //FTP/deployment username// section on the //Overview// page. If you did not set up an %%FTP%% account yet, goto //Deployment Center// page and select //FTP// in //Manual Deployment// section and switch to //User Credentials// tab. User name has a form ''name\user''. You need to use both parts when authenticating. | |
| - | ··* Host name: Copy host name from //FTPS hostname// section on the //Essentials// panel. | + | |
| - | * User Name: Copy username from the //FTP/deployment username// section on the //Essentials// panel. If you did not set up an %%FTP%% account yet, use //Deployment credentials// page. User name has a form ''name\user''. You need to use both parts when authenticating. | + | |
| - | + | ||
| - | On the old Azure Management Portal manage.windowsazure.com: | + | |
| - | + | ||
| - | * Host name: Copy host name from //FTPS host name// section on a //Quick glance// sidebar. | + | |
| - | * User Name: See //Deployment / FTP user// section. If you did not set up an %%FTP%% account yet, use //Set up deployment credentials// link. User name has a form ''name\user''. You need to use both parts when authenticating. | + | |
| To connect to the web site with %%FTPS%%, start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | To connect to the web site with %%FTPS%%, start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | ||
| Line 98: | Line 73: | ||
| &screenshotpict(azure_website) | &screenshotpict(azure_website) | ||
| - | ==== Using Host Name Link ==== | + | ==== Automating Access to the App Service ==== |
| - | + | ||
| - | Instead of copying web site URLs from dashboard to WinSCP, you can also directly click on the link to open the session in WinSCP. After entering your credentials and opening session, go to //Session > Save Session as Site// to save your opened site for future use. | + | |
| - | + | ||
| - | ==== Automating Access to the WebSite ==== | + | |
| - | See example for [[guide_microsoft_azure_webjob_sftp#deploying_auto|automating update of a WebJob on the WebSite]]. | + | See example for [[guide_microsoft_azure_webjob_sftp#deploying_auto|automating update of a WebJob on an App Service/Web Site]]. |
| ===== Further reading ===== | ===== Further reading ===== | ||