Differences
This shows you the differences between the selected revisions of the page.
| guide_microsoft_azure 2019-03-27 | guide_microsoft_azure 2023-07-03 (current) | ||
| Line 1: | Line 1: | ||
| - | ====== Connecting Securely to Microsoft Azure Service with SFTP or FTPS ====== | + | ====== Connecting securely to Microsoft Azure service with SFTP or FTPS ====== |
| With WinSCP you can easily upload and manage files on your Microsoft Azure instance/service over [[sftp|SFTP protocol]] or [[ftps|FTPS]] protocol. | With WinSCP you can easily upload and manage files on your Microsoft Azure instance/service over [[sftp|SFTP protocol]] or [[ftps|FTPS]] protocol. | ||
| Line 11: | Line 11: | ||
| * Host name: | * Host name: | ||
| - | * Use IP address you find in the //Public IP address// section on your virtual machine instance page·; | + | * Use IP address you find in the //Public IP address// section on your virtual machine instance page; |
| * Or setup a DNS name for the virtual machine by clicking on the //Configure// link in //%%DNS%% name// section. A //Configuration// panel opens. There, in the //%%DNS%% name label//, enter a sub domain for your virtual machine. Click //Save// button. A full hostname now appears in the //%%DNS%% name// section in a format ''subdomain.location.cloudapp.azure.com''. | * Or setup a DNS name for the virtual machine by clicking on the //Configure// link in //%%DNS%% name// section. A //Configuration// panel opens. There, in the //%%DNS%% name label//, enter a sub domain for your virtual machine. Click //Save// button. A full hostname now appears in the //%%DNS%% name// section in a format ''subdomain.location.cloudapp.azure.com''. | ||
| * Username: Use the username, that you created, when creating the virtual machine. | * Username: Use the username, that you created, when creating the virtual machine. | ||
| - | * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]]. | + | * Host key fingerprint: On the first connect you will be prompted to [[ssh_verifying_the_host_key|verify server host key]]. \\ To securely acquire a fingerprint of the host key: |
| - | ···* You can locate key fingerprint in server's initial start log, when host keys are generated.((Using ''cloud-init'' script.)) Go to the //Boot diagnostics// page and switch to //Serial log// tab. Alternatively use ''[[ps>azurerm.compute/get-azurermvmbootdiagnosticsdata|Get-AzureRmVMBootDiagnosticsData]]'' command. | + | ···* On your virtual machine instance page, use [[https://learn.microsoft.com/en-us/azure/virtual-machines/linux/run-command|//Run command// function]]. You will find it in the virtual machine menu, in //Operations// group. |
| - | * //With the recent versions of WinSCP (easier)//: &recent Search for ''-----BEGIN %%SSH%% HOST KEY FINGERPRINTS-----'': \\ <code>-----BEGIN SSH HOST KEY FINGERPRINTS----- | + | ···* Select //"RunShellScript"// command. |
| - | 1024 SHA256:dM0cbKRU1sxYVRTFW8P9/leLzuPndr7Z/fRpiIXBBT8 root@winscpubuntu (DSA) | + | * Paste the following command: <code bash>for f in /etc/<nohilite>ssh</nohilite>/ssh_host_*_key; do ssh-keygen -l -f "$f"; done</code> |
| - | 256 SHA256:eq62XW/s39mrDw8XMNfNsSRUjbK4VhqCRBQeE4tF2WA root@winscpubuntu (ECDSA) | + | * You will get an output like: <code>256 SHA256:bKKCom8yh5gOuBNWaHHJ3rrnRXmCOAyPN/WximYEPAU /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA) |
| - | 256 SHA256:J/9cttqvRWzmwc0Fyk26qIVsCuRo57phWj3xB3dGmLY root@winscpubuntu (ED25519) | + | 256 SHA256:IYeDl+gseYk46Acg4g2mcXGvCr7Z8FqOd+pCJz/KLHg /etc/ssh/ssh_host_ed25519_key.pub (ED25519) |
| - | 2048 SHA256:xd2ZT5TE/koVle4Gg8UoB2F4tA+SIL/06H98NXV2/+I root@winscpubuntu (RSA) | + | 2048 SHA256:rA0lIXvHqFq7VHKQCqHwjsj28kw+tO0g/X4KnPpEjMk root@myazurevm (RSA)</code> The set of key types will vary with your virtual machine image. |
| - | -----END SSH HOST KEY FINGERPRINTS-----</code> Keep fingerprint for ''ED25519'' key.· | + | * When creating new virtual machine, prefer setting up public key authentication by pasting your public key to //%%SSH%% public key// box in the //Basics// step in the //Administrator account// section. If you want to setup public key authentication later, you have to [[guide_public_key|set it up manually]]. |
| - | * //With older versions of WinSCP//: Search for ''-----BEGIN %%SSH%% HOST KEY KEYS-----'': \\ <code>-----BEGIN SSH HOST KEY KEYS----- | + | |
| - | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOXBTK0rhHsOnu93hq/YsVBseEvu56WPkCwleBJb4QthaJ7j6Ih4O3dNJHkJ6xv8BxjeTNDoEnwOqJwHXbbmGWw= root@ubuntu | + | |
| - | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICv8CYlgCghyr1q+XdGJB560N9FuF4JY4ALHfkR/mktm root@ubuntu | + | |
| - | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqn2SnEPSysG2n/v3lzSTH/7GwpwhxIyRfp0wYRDu1cIizjyiD7m8GQI2R2OqBGnole/s5c1BkP9/QOTtLGZQVta5kCT8t6Ph7soe7ST8Ee7ok45648zEeKqf4tGfyFTlSJOtNWEh9qAlx79pL7rxC6QphWqYNFDPuTjPigwGsVhznTWry8OJZnJuSQCM07UDP+995yrJLqjZxY6StOMELILamcYO6XdoQvF/a1byVTQnbKO6Mdt8V+J+RY8ibNeYdAjfO1dQuUZIHwf8HiS5nD1+IzeiEH4V6Hr7uDCR+1V6rRj93x/NvPgM6T99urb5Br+GYZ4wVkAsZOTg3OFTT root@ubuntu | + | |
| - | -----END SSH HOST KEY KEYS-----</code> Look for ''ssh-ed25519'' key. The key is logged in Base64 encoding. To calculate MD5 fingerprint (the only format supported by the stable version of WinSCP), execute this command in Windows PowerShell (after inserting the ''ssh-ed25519'' key): \\ <code powershell>Write-Host ([BitConverter]::ToString([Security.Cryptography.MD5]::Create().ComputeHash([Convert]::FromBase64String("AAAAC3NzaC1lZDI1NTE5AAAAICv8CYlgCghyr1q+XdGJB560N9FuF4JY4ALHfkR/mktm"))) -replace "-", ":";).ToLower()</code> | + | |
| - | * If you did not save the fingerprint on the first virtual machine, but you have another Azure virtual machine that you can connect to safely (you know its fingerprints), you can connect to the target instance using private IP from the trusted instance. Staying within a private Azure network keeps you safe from [[wp>Man-in-the-middle_attack|man-in-the-middle attacks]]. When on the trusted instance terminal, you can use the following commands to collect fingerprints: \\ <code> | + | |
| - | $ ssh-keyscan <target_instance_private_ip> > azurekey | + | |
| - | $ ssh-keygen -l -f azurekey -E md5 | + | |
| - | 2048 MD5:51:3b:ea:96:3d:3c:80:25:ae:b1:9c:a8:4c:76:82:09 <private_ip> (RSA) | + | |
| - | 256 MD5:e5:27:88:a8:bc:f0:64:bb:3a:e7:71:e6:4d:a1:40:ed <private_ip> (ECDSA) | + | |
| - | 256 MD5:cf:35:d4:78:43:48:26:bf:dc:96:f4:63:8e:ee:35:5b <private_ip> (ED25519) | + | |
| - | </code> //With recent versions of WinSCP,// you can remove the ''-E md5'' to display SHA-256 fingerprints. &recent | + | |
| - | * If you do not have another trusted instance, you can create new temporary instance, just for the purpose of collecting the keys. First find keys for the new temporary instance, using its initial start log. Then collect keys of the target instance by connecting to it from the temporary instance. After that you can discard the temporary instance. | + | |
| - | * When creating new virtual machine, consider setting up public key authentication by pasting your public key to //%%SSH%% public key// box of the //Configure basic settings// steps. If you want to setup public key authentication later, you have to [[guide_public_key|set it up manually]]. | + | |
| To connect to a virtual machine instance with SFTP, start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | To connect to a virtual machine instance with SFTP, start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | ||
| Line 68: | Line 54: | ||
| &screenshotpict(azure_windows) | &screenshotpict(azure_windows) | ||
| - | ===== [[website]] Connecting to a Web Site with FTPS ===== | + | ===== [[appservice]] Connecting to an App Service (Web Site) with FTPS ===== |
| - | First, collect information about your web site, on the [[https://portal.azure.com/|Azure portal]]: | + | First, collect information about your app service (previously web site), on the [[https://portal.azure.com/|Azure portal]]: |
| - | * Host name: Copy host name from //FTPS hostname// section on the //Essentials// panel. | + | * Host name: Copy host name from //FTPS hostname// section on the //Overview// page. |
| - | * User Name: Copy username from the //FTP/deployment username// section on the //Essentials// panel. If you did not set up an %%FTP%% account yet, use //Deployment credentials// page. User name has a form ''name\user''. You need to use both parts when authenticating. | + | * User Name: Copy username from the //FTP/deployment username// section on the //Overview// page. If you did not set up an %%FTP%% account yet, goto //Deployment Center// page and select //FTP// in //Manual Deployment// section and switch to //User Credentials// tab. User name has a form ''name\user''. You need to use both parts when authenticating. |
| To connect to the web site with %%FTPS%%, start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | To connect to the web site with %%FTPS%%, start WinSCP. [[ui_login|Login dialog]] will appear. On the dialog: | ||
| Line 87: | Line 73: | ||
| &screenshotpict(azure_website) | &screenshotpict(azure_website) | ||
| + | ==== Automating Access to the App Service ==== | ||
| - | + | See example for [[guide_microsoft_azure_webjob_sftp#deploying_auto|automating update of a WebJob on an App Service/Web Site]]. | |
| - | ==== Automating Access to the WebSite ==== | + | |
| - | + | ||
| - | See example for [[guide_microsoft_azure_webjob_sftp#deploying_auto|automating update of a WebJob on the WebSite]]. | + | |
| ===== Further reading ===== | ===== Further reading ===== | ||