Update host keys to use SFTP on Azure Blob Storage

Update host keys to use SFTP on Azure Blob Storage

Some Azure Storage users may have received an alert informing that Microsoft will change the public key, like this. 

This article describes the impact this will have on the SFTP blob service and what are the changes needed.

On this article:

• What is this alert and what actions you need to take
• How to list all your storage accounts with SFTP enabled

• Which client systems or applications are currently connecting to the storage account via SFTP

• FAQs to Host keys for SSH File Transfer Protocol (SFTP) support for Azure Blob Storage

========================================================

What is this alert and what action you need to take

Azure Storage SFTP users can use two different authentication methods:

SSH Password and/or SSH Key pair:

This alert only affect user using SSH key pair; if your SFTP users are using only  SSH Password as authentication method, you can ignore that alert.

If you have users using SSH Key pair, you should have currently the host keys on your list of trusted hosts.

In that case, you may need to update your list of trusted hosts, with the new valid host keys described on this list (expiring in 2028-01-31), based on the region of your storage account: https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-host-keys#valid-host-keys

You need to add the new trusted host keys for storage region where your storage account lives, on known_hosts file (per-user trusted hosts, most common, usually located on ~/.ssh/known_hosts), or on ssh_known_hosts file (system-wide trusted hosts, less common, usually located on /etc/ssh).

The file names and locations may vary, depending on the Linux distro and version you are using.

Other option is just accepting the new keys when connecting to Storage SFTP, after April 30th.

========================================================

How to list all your storage accounts with SFTP enabled

You can use Azure Resource Graph available on Azure portal, and the query below to get the list of storage accounts with SFTP enabled.

You can list that at your Subscription, Directory or Management Group level.

Please see how to easily do that: https://learn.microsoft.com/en-us/azure/governance/resource-graph/first-query-portal

Query to list all Storage accounts with SFTP enabled:

resources
| where type == "microsoft.storage/storageaccounts"
| extend sftpEnabled = properties.isSftpEnabled
| where sftpEnabled == true
| project
   subscriptionId,
   resourceGroup,
   name,
   location,
   kind,
   sku = sku.name,
   sftpEnabled
| order by subscriptionId, resourceGroup, name

========================================================

Which client systems or applications are currently connecting to the storage account via SFTP

To verify which users or applications are currently connecting to the storage account via SFTP, you may need to enable Blob Storage Diagnostic Logs (*), and sent that logs to some Log Analytic workplace, if not enabled yet.

In that case you can query that logs and check some details from the requests querying you Log Analytic workspace, or using “Logs” option, under “Monitoring” section, on the storage account blade, on Azure Portal.

You can use this Kusto query to query Storage Diagnostic Logs:

StorageBlobLogs
| where AccountName in ("xxxxxxxxxxxxxxxxxxxx")
| where Protocol == "SFTP"
| where OperationName == "SftpConnect"
| where TimeGenerated > ago(7d)
| project TimeGenerated, AuthenticationType, CallerIpAddress, RequesterObjectId, UserAgentHeader
| summarize NrRequests=count() by RequesterObjectId, AuthenticationType //, UserAgentHeader, CallerIpAddress
| order by AuthenticationType

(*) See more details about how to enable and query Storage Diagnostic Logs, ate the end of this article.

The output should be something like this:

The first four users are authenticating on Azure Blob Storage SFTP service using SSH Key (LocalUserPublicKey), and that are the users that may be affected by this SFTP keys update alert.

They need to accept the new keys, when prompted to that after April 30th, or

You can update your trusted hosts on known_hosts file in advance, to avoid users to be prompted to accept the new keys.

========================================================
FAQs to Host keys for SSH File Transfer Protocol (SFTP) support for Azure Blob Storage

Also, see our FAQs to Host keys for SSH File Transfer Protocol (SFTP) support for Azure Blob Storage:

https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-host-keys#frequently-asked-questions

========================================================

(*) Storage Diagnostic Logs:
Create diagnostic settings: https://learn.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings?tabs=portal#create-a-diagnostic-setting

Destinations: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal#destinations
Log Analytics tutorial: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial

Log Analytic workspace - Sample Kusto queries: https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal#kusto-queries

Log Format and information available: https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage-reference#azure-monitor-logs-tables

Additional charges:

Storage Diagnostic Logs may incur in some additional charges - the most significant charges for most Azure Monitor implementations will typically be ingestion and retention of data in your Log Analytics workspaces; you can disable Storage Diagnostic Logs anytime, once you don’t need that anymore.

Logs cost calculation: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/cost-logs

Analytic logs pricing: https://azure.microsoft.com/en-us/pricing/details/monitor/

========================================================

I hope this can help and clarify any doubts on this update host keys to use SFTP on Azure Blob Storage alert.