Using VMAccess Extension to Reset Login Credentials for Linux VM

Have you ever forgotten your Azure VM password or SSH key and lost the VM access? VMAccess extension enables you to reset the password, SSH key, or the SSH configurations, so you can regain the access.

This extension targets Linux VM,  for Windows VM, click here for details.

If this is your first time using VM extensions, you might want to check here for background.

 

Pre-Requisites

  • Microsoft Azure Linux Agent version 2.0.5 or later. Note most Azure VM Linux gallery images included version 2.0.5. You can run waagent -version to confirm the version installed in the VM. If the VM is running a version earlier than 2.0.5 you can follow these instructions to update it.
  • Azure PowerShell. Note Cross-Platform CLI support for extensions is expected to be available in a few weeks.
  •  A new password or SSH keys you want to reset for your VM.

 

Use the VMAccess Extension

Depending on what you want to reset for the VM, there are 5 scenarios using VMAccess. Following are scenarios and the correspondent sample PowerShell scripts. Note you only need to specify different parameters for each scenario, the second section after “Begin execution” is all the same across different scenarios. The script is very straightforward.

 

1. Reset the password only

#Sample script to reset your password
#Identify the VM
$vm = Get-AzureVM -ServiceName ‘MyServiceName’ -Name ‘MyVMName’
#Enter your current user name and new password
$UserName = "CurrentName"
$Password = "NewPassword"
$PrivateConfig = '{"username":"' + $UserName + '", "password": "' +  $Password + '”}' 

#Begin execution
$ExtensionName = 'VMAccessForLinux'
$Publisher = 'Microsoft.OSTCExtensions'
$Version =  '1.0'
Set-AzureVMExtension -ExtensionName $ExtensionName -VM  $vm -Publisher $Publisher -Version $Version -PrivateConfiguration $PrivateConfig | Update-AzureVM

 

2. Reset the SSH key only

#Sample script to reset your SSH keys
#Identify the VM
$vm = Get-AzureVM -ServiceName ‘MyServiceName’ -Name ‘MyVMName’
#Enter the current user name and the path of your new public SSH key
$UserName = "CurrentName"
$cert = Get-Content "CertPath"
$PrivateConfig = '{"username":"' + $UserName + '", "ssh_key":"' + $cert + '"}'

# Begin execution
$ExtensionName = 'VMAccessForLinux'
$Publisher = 'Microsoft.OSTCExtensions'
$Version =  '1.0'
Set-AzureVMExtension -ExtensionName $ExtensionName -VM  $vm -Publisher $Publisher -Version $Version -PrivateConfiguration $PrivateConfig | Update-AzureVM

 

3. Reset the password and the SSH key

#Sample script to reset your password and SSH key
#Identify the VM
$vm = Get-AzureVM -ServiceName ‘MyServiceName’ -Name ‘MyVMName’
#Enter the new password, and cert path of the new SSH public key, with the current user name 
$UserName = "CurrentName"	
$Password = "NewPassword"
$cert = Get-Content "CertPath"
$PrivateConfig = '{"username":"' + $UserName + '", "password": "' +  $Password + '", "ssh_key":"' + $cert + '"}' 

# Begin execution
$ExtensionName = 'VMAccessForLinux'
$Publisher = 'Microsoft.OSTCExtensions'
$Version =  '1.0'
Set-AzureVMExtension -ExtensionName $ExtensionName -VM  $vm -Publisher $Publisher -Version $Version -PrivateConfiguration $PrivateConfig | Update-AzureVM

 

4. Create a new sudo user account

If you forget your user name, you can use VMAccess to create a new one with the sudo authority. Note in this case, your original user name and login keys will not be modified, it should still work.

To create a new sudo user with password access, use the script in scenario 1; for creating a new sudo user with SSH key access, use the script in scenario 2; you can also use scenario 3 to create a new user with both access;  remember you need to change the “UserName” to a new user name.

 

5. Reset the SSH configuration

If the SSH configuration is messed up, you might also lose the access to the VM. You can use VMAccess extension to reset the configuration to default. To do so, you just need to remove all the new access parameters in the configuration (user name, password, or SSH key). The extension will restart the SSH server, open the SSH port on your VM, and reset the SSH configuration to default. The user account (password or SSH keys) of your VM remains unchanged.

Note, The SSH configuration file that get reset is located at /etc/ssh/sshd_config.

#Sample script to reset the SSH configuration on your VM 
#Identify the VM
$vm = Get-AzureVM -ServiceName ‘MyServiceName’ -Name ‘MyVMName’
$PrivateConfig = '{"reset_ssh": "True"}' 

# Begin execution
$ExtensionName = 'VMAccessForLinux'
$Publisher = 'Microsoft.OSTCExtensions'
$Version =  '1.0'
Set-AzureVMExtension -ExtensionName $ExtensionName -VM  $vm -Publisher $Publisher -Version $Version -PrivateConfiguration $PrivateConfig | Update-AzureVM

 

Query the results

The status of the VMAccess extension could be retrieved using Azure PowerShell Cmdlet Get-AzureVM or Get-Deployment.

 

Access the VM after resetting

After the VMAccess Extension completes resetting the credentials and configurations, you can log on to the instance using the new account name, password or SSH key.

 

Additional Notes

Note if you only want to reset the password or SSH key for the existing user account, you need to make sure the user name you entered matches the original user name. If you enter a name that is different from your original name, the VMAccess extension will consider this as scenario 4 listed above, and create a new user account.

 

Known issue

When you run the PowerShell command “Set-AzureVMExtension” on Linux VM, you may hit following error: “Provision Guest Agent must be enabled on the VM object before setting IaaS VM Access Extension”.

Root Cause: when you create the image via portal, the value of guest agent on the VM is not always  set to “True”. If your VM is created using PowerShell, you will not see this issue.

Resolution: Add the following PowerShell command to set the ProvisionGuestAgent to “True”;

$vm = Get-AzureVM -ServiceName ‘MyServiceName’ -Name ‘MyVMName’

$vm.GetInstance().ProvisionGuestAgent = $true