diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md index ff2232cc7ce7..56556e53a96a 100644 --- a/src/Accounts/Accounts/ChangeLog.md +++ b/src/Accounts/Accounts/ChangeLog.md @@ -19,6 +19,8 @@ --> ## Upcoming Release +* Replaced hardcoded cloud-to-scope mappings in SSH credential factory with a static scope, enabling SSH authentication across all clouds. +* Deprecated the `-SshAuthScope` parameter in `Set-AzEnvironment` and `Add-AzEnvironment`. The SSH authentication scope is now determined automatically. ## Version 5.3.3 * Updated MSAL to 4.82.1 to fix an issue with ARM endpoint discovery. diff --git a/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs b/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs index cf27e034dba3..c24359a22a55 100644 --- a/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs +++ b/src/Accounts/Accounts/Environment/AddAzureRMEnvironment.cs @@ -226,7 +226,7 @@ public string DataLakeAudience public string MicrosoftGraphUrl { get; set; } [Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true, - HelpMessage = "The scope for authentication when SSH to an Azure VM.")] + HelpMessage = "This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.")] public string SshAuthScope { get; set; } protected override bool RequireDefaultContext() diff --git a/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs b/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs index b4222400e033..1dfff7384f01 100644 --- a/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs +++ b/src/Accounts/Accounts/Environment/SetAzureRMEnvironment.cs @@ -197,7 +197,7 @@ public string DataLakeAudience public string MicrosoftGraphUrl { get; set; } [Parameter(ParameterSetName = EnvironmentPropertiesParameterSet, Mandatory = false, ValueFromPipelineByPropertyName = true, - HelpMessage = "The scope for authentication when SSH to an Azure VM.")] + HelpMessage = "This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured.")] public string SshAuthScope { get; set; } protected override bool RequireDefaultContext() diff --git a/src/Accounts/Accounts/help/Add-AzEnvironment.md b/src/Accounts/Accounts/help/Add-AzEnvironment.md index 495054fa34d9..9feaf9491a99 100644 --- a/src/Accounts/Accounts/help/Add-AzEnvironment.md +++ b/src/Accounts/Accounts/help/Add-AzEnvironment.md @@ -679,7 +679,7 @@ Accept wildcard characters: False ``` ### -SshAuthScope -The scope for authentication when SSH to an Azure VM. +This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured. ```yaml Type: System.String diff --git a/src/Accounts/Accounts/help/Set-AzEnvironment.md b/src/Accounts/Accounts/help/Set-AzEnvironment.md index 2d840d7aa5fd..b13b2d7db4d6 100644 --- a/src/Accounts/Accounts/help/Set-AzEnvironment.md +++ b/src/Accounts/Accounts/help/Set-AzEnvironment.md @@ -601,7 +601,7 @@ Accept wildcard characters: False ``` ### -SshAuthScope -The scope for authentication when SSH to an Azure VM. +This parameter is deprecated and will be removed in a future release. The SSH authentication scope is now determined automatically and does not need to be configured. ```yaml Type: System.String diff --git a/src/Accounts/Authentication/Factories/SshCredentialFactory.cs b/src/Accounts/Authentication/Factories/SshCredentialFactory.cs index f4ab2a9d0a45..8905172e8f07 100644 --- a/src/Accounts/Authentication/Factories/SshCredentialFactory.cs +++ b/src/Accounts/Authentication/Factories/SshCredentialFactory.cs @@ -15,7 +15,6 @@ using Microsoft.Azure.Commands.Common.Authentication.Abstractions; using Microsoft.Azure.Commands.Common.Authentication.Abstractions.Models; using Microsoft.Azure.Commands.Common.Authentication.Properties; -using Microsoft.Azure.Commands.Common.Exceptions; using Microsoft.Identity.Client.SSHCertificates; using Microsoft.WindowsAzure.Commands.Utilities.Common; @@ -30,13 +29,7 @@ namespace Microsoft.Azure.Commands.Common.Authentication.Factories { public class SshCredentialFactory : ISshCredentialFactory { - // kept for backward-compatibility - private readonly Dictionary CloudToScope = new Dictionary(StringComparer.InvariantCultureIgnoreCase) - { - { EnvironmentName.AzureCloud, AzureEnvironmentConstants.AzureSshAuthScope }, - { EnvironmentName.AzureChinaCloud, AzureEnvironmentConstants.ChinaSshAuthScope }, - { EnvironmentName.AzureUSGovernment, AzureEnvironmentConstants.USGovernmentSshAuthScope }, - }; + private const string AadSshLoginForLinuxServerAppId = "ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0"; private string CreateJwk(RSAParameters rsaKeyInfo, out string keyId) { @@ -70,8 +63,7 @@ public SshCredential GetSshCredential(IAzureContext context, RSAParameters rsaKe } var publicClient = tokenCacheProvider.CreatePublicClient(context.Environment.ActiveDirectoryAuthority, context.Tenant.Id); - string scope = GetAuthScope(context.Environment) - ?? throw new AzPSKeyNotFoundException(string.Format(Resources.ErrorSshAuthScopeNotSet, context.Environment.Name)); + string scope = GetAuthScope(); List scopes = new List() { scope }; var jwk = CreateJwk(rsaKeyInfo, out string keyId); @@ -90,10 +82,9 @@ public SshCredential GetSshCredential(IAzureContext context, RSAParameters rsaKe return resultToken; } - private string GetAuthScope(IAzureEnvironment environment) + private string GetAuthScope() { - return environment.GetProperty(AzureEnvironment.ExtendedEndpoint.AzureSshAuthScope) - ?? CloudToScope.GetValueOrDefault(environment.Name.ToLower(), null); + return $"{AadSshLoginForLinuxServerAppId}/.default"; } } }