public_key in admin_ssh_key of azurerm_linux_virtual_machine resource does not accept PuTTYgen keys

[gberesford]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.20
+ provider.azurerm v2.0.0

Affected Resource(s)

• azurerm_linux_virtual_machine

Terraform Configuration Files

provider "azurerm" {
  version = "~> 2.0"
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-network"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "internal"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefix       = "10.0.2.0/24"
}

resource "azurerm_network_interface" "example" {
  name                = "example-nic"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.example.id
    private_ip_address_allocation = "Dynamic"
  }
}

resource "azurerm_linux_virtual_machine" "example" {
  name                = "example-machine"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  size                = "Standard_F2"
  admin_username      = "adminuser"
  network_interface_ids = [
    azurerm_network_interface.example.id,
  ]

  admin_ssh_key {
    username   = "adminuser"
    public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAlR+6cwU+0Wa0jWxLDV2fY4JYGVK9+hVCn13QclVgNkHyBidIZ0pJ/0AcOUa9mjm7mJPUb/orzA2g3CxMdweHjOTcTlGxbiuxdFgZHAmwV3v0CYKeyXbkJdqVYlw5E4sA2inJ7ivL7QTJOf2/sPcBZ3y4nhNETxnUSaxLPGOOJaD5gBFqJefcULK4M7XiQpmA18KJJha7j6MBm9Oe18sphS5JzR2lJ9RQ8bd7MtP/AVqxwkdMMlGM1uGD7UfKKKua7HZfcJJrKY0a6CVtljkJz4X+OkPjfAx1j/uUV1umXxDUMChgHztNVDan2+D8JX+c6im0WxM6jzbcPc4ooBUtvQ=="
  }

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }

  source_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "16.04-LTS"
    version   = "latest"
  }
}

Debug Output

https://gist.github.com/gberesford/cdc53f8c67ee1d53cf371abe4507863f

Expected Behavior

C:\Users\gberesford\source\repos\OpenVpnRemote\testtf>terraform validate
Success! The configuration is valid.

Actual Behavior

C:\Users\gberesford\source\repos\OpenVpnRemote\testtf>terraform validate

Error: Error - only ssh-rsa keys with 2048 bits or higher are supported by azure

  on main.tf line 37, in resource "azurerm_linux_virtual_machine" "example":
  37: resource "azurerm_linux_virtual_machine" "example" {

Steps to Reproduce

1. Generate 2048 bit RSA key with PuTTYgen.
2. Use public part of key for public_key in admin_ssh_key of azurerm_linux_virtual_machine resource.
3. terraform validate

Important Factoids

PuTTYgen uses 37 as the RSA exponent, as opposed to ssh-keygen's 65537. The shorter exponent means that it takes up less space in the encoded public key, which makes the byte indexes of 20 and 21 incorrect here: https://github.com/terraform-providers/terraform-provider-azurerm/blob/2190f5565087143c6d67b05270685eda8d4f115d/azurerm/internal/services/compute/ssh_keys.go#L147

The current code will fail with any exponent < 65536 (or > 16777215 and also for some key lengths > 65535 but those cases are unlikely.)

I suspect the only reliable way of doing this will be to parse the file properly to skip the first 2 elements by reading their length (which are uint32s, not uint16s), and then read the length of the 3rd element.

[tombuildsstuff]

Related: #6044

[rgl]

Please see my suggestion at #6044 (comment). It uses rsa.PublicKey instead of manually parsing the raw bytes

[AndreasMWalter]

Encountering this issue as well, not sure if the affected key was created with putty or openssl, but validation of the key with ssh-keygen checks out:

[favoretti]

Since this issue has been reported a long time ago and relates to the version of provider we no longer support - I'm going to close it. Please open a new updated bug report on current versions of terraform and provider if this is still relevant. Thank you.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.