[Az.Aks] Enforce RSA as the GenerateSSHKeys default key type

[jovieir]

Description

This pull request enhances the SSH key generation logic in the NewAzureRmAks command to ensure compatibility with changes in OpenSSH 9.4 and above, where the default key type switched to ed25519 (unsupported by AKS). The main update involves detecting the installed OpenSSH version and conditionally specifying the key type when generating SSH keys. Additionally, it introduces platform checks and error handling for robust version detection.

SSH Key Generation Compatibility Updates:

• Added a method GetOpenSSHVersion() to detect the installed OpenSSH version, using platform checks and safe process handling to extract the version from ssh.exe output.
• Updated the GenerateSshKeyValue() method to use the detected OpenSSH version: if version 9.4 or above is found, the -t rsa argument is added to ssh-keygen to ensure RSA keys are generated; otherwise, the argument is omitted for compatibility with older OpenSSH versions.

Platform Support:

• Added a using System.Runtime.InteropServices; directive and platform checks to ensure the correct path to ssh.exe is used on Windows and non-Windows systems.

These changes help prevent issues with unsupported SSH key types in AKS clusters on systems with newer OpenSSH installations.

Mandatory Checklist

• Please choose the target release of Azure PowerShell. (⚠️Target release is a different concept from API readiness. Please click below links for details.)

  • General release
  • Public preview
  • Private preview
  • Engineering build
  • No need for a release

• Check this box to confirm: I have read the Submitting Changes section of CONTRIBUTING.md and reviewed the following information:

• SHOULD update ChangeLog.md file(s) appropriately
  • Update src/{{SERVICE}}/{{SERVICE}}/ChangeLog.md.
    • A snippet outlining the change(s) made in the PR should be written under the ## Upcoming Release header in the past tense.
  • Should not change ChangeLog.md if no new release is required, such as fixing test case only.
• SHOULD regenerate markdown help files if there is cmdlet API change. Instruction
• SHOULD have proper test coverage for changes in pull request.
• SHOULD NOT adjust version of module manually in pull request

[azure-client-tools-bot-prd]

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

[isra-fel]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[Copilot]

Pull request overview

This pull request addresses compatibility issues with OpenSSH 9.4+ in the Azure Kubernetes Service (AKS) module by ensuring RSA SSH keys are generated instead of the new ed25519 default (which AKS doesn't support). The implementation adds version detection logic to conditionally specify the key type parameter when generating SSH keys.

Key Changes

• Added GetOpenSSHVersion() method to detect the installed OpenSSH version through process execution and regex parsing
• Modified GenerateSshKeyValue() to conditionally add -t rsa flag for OpenSSH 9.4+ installations
• Introduced platform-specific handling using System.Runtime.InteropServices for Windows vs non-Windows path resolution

[Copilot]

The variable name "standOutput" appears to be a typo of "standardOutput". This inconsistent naming (compared to "standardError" later) reduces code clarity.

Suggested change

	string standOutput = process.StandardOutput.ReadToEnd() + process.StandardError.ReadToEnd();
	process.WaitForExit();
	// OpenSSH version for Windows follows the format: OpenSSH_for_Windows_X.XpX
	// Examples
	// "OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3"
	// "OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2"
	var regMatch = System.Text.RegularExpressions.Regex.Match(standOutput, @"OpenSSH_for_Windows_(\d+)\.(\d+)p(\d+)");
	string standardOutput = process.StandardOutput.ReadToEnd() + process.StandardError.ReadToEnd();
	process.WaitForExit();
	// OpenSSH version for Windows follows the format: OpenSSH_for_Windows_X.XpX
	// Examples
	// "OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3"
	// "OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2"
	var regMatch = System.Text.RegularExpressions.Regex.Match(standardOutput, @"OpenSSH_for_Windows_(\d+)\.(\d+)p(\d+)");

[Copilot]

The regex pattern only matches Windows-specific OpenSSH output format (OpenSSH_for_Windows_X.XpX), but will fail to detect the OpenSSH version on non-Windows platforms where the output format is different (e.g., "OpenSSH_9.4p1, OpenSSL 3.0.2"). This means the version detection will always return null on Linux/macOS, preventing RSA key type enforcement on those platforms when OpenSSH 9.4+ is installed. Consider using a platform-agnostic regex pattern that matches both formats, such as matching "OpenSSH_(\d+).(\d+)p(\d+)" which works for both "OpenSSH_9.4p1" and "OpenSSH_for_Windows_9.4p1".

Suggested change

	// OpenSSH version for Windows follows the format: OpenSSH_for_Windows_X.XpX
	// Examples
	// "OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3"
	// "OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2"
	var regMatch = System.Text.RegularExpressions.Regex.Match(standOutput, @"OpenSSH_for_Windows_(\d+)\.(\d+)p(\d+)");
	// OpenSSH version formats to support:
	// Windows: "OpenSSH_for_Windows_X.XpX, LibreSSL ..."
	// Non-Windows:"OpenSSH_X.XpX, OpenSSL ..."
	var regMatch = System.Text.RegularExpressions.Regex.Match(standOutput, @"OpenSSH_(?:for_Windows_)?(\d+)\.(\d+)p(\d+)");

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

[Copilot]

The new SSH key generation logic with version detection lacks test coverage. Given that the repository has comprehensive scenario tests for AKS functionality, this new feature should also have corresponding tests to validate:

1. Correct version detection for different OpenSSH versions
2. Proper handling when version detection fails (returns null)
3. Correct argument construction for OpenSSH versions >= 9.4 vs. older versions
4. Cross-platform behavior (Windows vs. Linux/macOS)

Consider adding unit tests or scenario tests that cover these SSH key generation scenarios.

[isra-fel]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[jovieir]

@copilot open a new pull request to apply changes based on the comments in this thread

[jovieir]

applying code review suggestions

[isra-fel]

/azp run

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

[Copilot]

The new OpenSSH version detection logic in GetOpenSSHVersion() lacks test coverage. Since the repository uses comprehensive automated testing for the Az.Aks module, consider adding unit tests to verify:

1. Correct version parsing for different OpenSSH output formats (Windows and non-Windows)
2. Handling of null returns when OpenSSH is not installed or version cannot be determined
3. Correct behavior when version is below 9.4 vs. 9.4 and above
4. The resulting ssh-keygen command arguments are correct for different scenarios

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 5 comments.

[Copilot]

The broad catch block on line 349 silently swallows all exceptions, which could hide important errors beyond just missing SSH binaries. Consider catching specific exceptions like FileNotFoundException or Win32Exception, and logging the exception details using WriteDebug or WriteWarning before returning null. This would help with troubleshooting when SSH version detection fails.

Suggested change

	// We're not expecting ssh to be missing, but just in case, we catch any exception and return null.
	catch
	{
	return null;
	}
	// We're not expecting ssh to be missing, but just in case, we catch specific exceptions and return null.
	catch (FileNotFoundException ex)
	{
	WriteDebug($"Failed to detect SSH version: SSH executable not found. Detail: {ex.Message}");
	return null;
	}
	catch (Win32Exception ex)
	{
	WriteDebug($"Failed to detect SSH version due to a Win32 error when starting the SSH process. Detail: {ex.Message}");
	return null;
	}
	catch (InvalidOperationException ex)
	{
	WriteDebug($"Failed to detect SSH version due to an invalid process configuration. Detail: {ex.Message}");
	return null;
	}
	catch (Exception ex)
	{
	WriteDebug($"Failed to detect SSH version due to an unexpected error. Detail: {ex.Message}");
	return null;
	}

[Copilot]

The process output reading on line 335 may cause a deadlock if the output buffers fill up. Reading both StandardOutput and StandardError synchronously after process.Start() can block if either buffer becomes full before WaitForExit is called. Consider using asynchronous reading with BeginOutputReadLine and BeginErrorReadLine, or read StandardError and StandardOutput separately to avoid potential deadlock situations.

[Copilot]

The ChangeLog.md file is missing an entry for this SSH key generation change. According to the repository's contribution guidelines, you SHOULD update the ChangeLog.md file under the "Upcoming Release" section to document this change. Add a bullet point describing the enforcement of RSA as the default key type for OpenSSH 9.4 and above to ensure AKS compatibility.

[Copilot]

The new OpenSSH version detection logic and conditional SSH key type generation are not covered by automated tests. Given that the Aks.Test project contains comprehensive test scenarios for other module functionality, this new behavior should have test coverage to verify correct version detection, version comparison logic, and proper argument construction for both OpenSSH versions below and above 9.4.

[isra-fel]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[jovieir]

@copilot open a new pull request to apply changes based on the comments in this thread

[wyunchi-ms]

Could you please also update the src/Aks/Aks/ChangeLog.md?

[jovieir]

Apologies for the delay @wyunchi-ms for some reason I thought I had edited ChangeLog in the first commit

[isra-fel]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[vidai-msft]

@jovieir Can you please sync with the latest main branch and then make the change log just under the # Upcoming Release? The position looks like not correct.

[jovieir]

@vidai-msft done!

[isra-fel]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (1)

src/Aks/Aks/Commands/NewAzureRmAks.cs:1

• The ChangeLog entry should use backticks for cmdlet names, not straight backticks which are currently used. Additionally, the phrase 'instead of ed25519 that became' could be clearer. Consider: 'Fixed the default SSH key generation logic in New-AzAksCluster to enforce RSA key type for compatibility with OpenSSH 9.4+, which changed its default from RSA to ed25519.'

// ----------------------------------------------------------------------------------

[Copilot]

Missing space after '//' in comment. Should be '// Ensure process is properly disposed of and exited'.

Suggested change

	finally //Ensure process is properly disposed of and exited
	finally // Ensure process is properly disposed of and exited

[Copilot]

The trailing space in '-t rsa ' is fragile and could be easily overlooked during maintenance. Consider using string interpolation or removing the space and adjusting the format string on line 398 to always include a space between parameters.

[Copilot]

The new SSH key generation logic with OpenSSH version detection lacks test coverage. Consider adding unit tests to verify: (1) correct version parsing for different OpenSSH output formats, (2) proper fallback behavior when version detection fails, (3) correct key type argument generation for versions below and above 9.4.

[vidai-msft]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

[Copilot]

There is a potential race condition between checking if the process has exited at line 355 and attempting to kill it at line 359. Another thread could terminate the process between the HasExited check and the Kill call. While the inner catch block provides some protection, consider using a more robust approach by catching InvalidOperationException specifically, which is thrown when calling Kill on an already exited process.

[Copilot]

The ChangeLog entry should explain the SSH (Secure Shell) acronym for Azure PowerShell users who may not be familiar with it. Consider revising to: "Fixed the default SSH (Secure Shell) key generation logic in New-AzAksCluster to enforce RSA key type (instead of ed25519 that became the default in OpenSSH 9.4 and above)"

[Copilot]

The empty catch block at lines 361-364 silently swallows all exceptions during process cleanup. While the comment explains ignoring Kill exceptions if the process already exited, this catch block will also suppress other types of exceptions (e.g., permission issues, system errors) that may indicate real problems. Consider catching only the specific expected exception types like InvalidOperationException which is thrown when the process has already exited.

Suggested change

	catch
	{
	// Ignore exceptions from Kill if process already exited
	catch (InvalidOperationException)
	{
	// Ignore exceptions from Kill if process has already exited or cannot be killed