Locked out of your Azure VM’s SSH

If you get locked out of your SSH client

  • Log into the azure portal https://portal.azure.com
  • Navigate to the VM from which you are locked out and select it.
  • First we will look at reseting a given user.

Reset Password

  • In the menu in the SUPPORT + TROUBLESHOOTING section, select Reset password
  • Make certain that you choose a user who can become root in the sudoers file. (Otherwise you are able to create a new user in the sudoers file by choosing a username that doesn’t already exist.)
  • Select Reset SSH public key in the Mode drop-down menu.

  • Choose the user to reset, and provide a public key and click Update
  • If necessary we can also reset the password, by selecting Reset password in the Mode drop-down menu

  • Choose the user who’s password you want to reset, supply the password and click Update
  • Wait a couple of minutes for the changes to apply
  • Test the user you have reset, and if you have access, become root and diagnose the issue.
  • If you are still not able to get into the box because the SSH daemon is not responding then continue with the steps below.

  • Still in the Reset Password option, like the previous 2 steps, select Reset configuration only from the Mode dropdown menu and click Update.
  • This will set the SSH daemon to the default configuration.
  • Wait 2 minutes and then reboot the box, from the Overview section on the VM’s menu, by clicking Restart

  • Whilst the machine is rebooting we should open port 22 in the relevant network security group.

  • In this example we’ve been using the bastion host, but choose the relevant security group and in the SETTINGS section click Inbound Security Rules
  • Click Add at the top of the screen

  • Make sure the descriptive name you give the new rule says “Temporary” so you know which rule to remove later.
  • Wait 2 minutes for the firewall rule to apply to the security group.
  • When the machine is back, you can try to connect once again.
  • Remember that SSH will now be running on port 22 and not on whichever port was previously configured. (If you not want to use keys, so use something like ssh -vvv -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no joebloggs@xx.xx.xx.xx/strong>) where xx.xx.xx.xx is your VMs IP address
  • If your attempt to connects timeout, it will be because port 22 is blocked by iptables the VM, so you will need to perform the following instructions to unblock port 22 on the VM’s iptables.
  • Navigate back to the VM in question in the Azure portal.

  • Under the Settings section , choose Extensions, and click + Add

  • Under resources choose Custom Script for Linux, and click Create
  • On your local machine create a script similar to the one below to unblock the VM
#!bin/bash
yum install iptables-services -y
iptables -A INPUT  -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
service iptables save
service iptables restart
  • Save this into a file with a good descriptive name, so you can reuse the script at a later date

 

  • Back in Azure, Select your script for upload, alter the command to run your script and click OK
  • Wait 2 minutes for the script to apply and then try to access the box again.
  • If the above did not work you could try again with another more drastic script like this one.
#!bin/bash
yum install iptables-services -y
systemctl stop iptables
systemctl disable iptables

  • Having applied this script, wait 2 minutes and retest.
  • If you cannot gain access after all of the above steps have been performed, then open a helpdesk ticket in the Azure Portal.

Author: Andrew