Azure Fleet password-based authentication is enabled#
Security · Azure Fleet · Rule · 2026_06 · Important
Use SSH keys instead of common credentials to secure Linux Azure Fleet VMs against malicious activities.
Description#
Linux Azure Fleet virtual machine profiles should have password authentication disabled to help with eliminating password-based attacks.
Recommendation#
Consider disabling password-based authentication on Linux Azure Fleet VM profiles and instead use public keys.
Examples#
Configure with Bicep#
To deploy an Azure Fleet that passes this rule:
- Set the
properties.computeProfile.baseVirtualMachineProfile.osProfile.linuxConfiguration.disablePasswordAuthenticationproperty totrue.
For example:
Azure Bicep snippet
resource linux_fleet 'Microsoft.AzureFleet/fleets@2024-11-01' = {
name: name
location: location
properties: {
computeProfile: {
baseVirtualMachineProfile: {
osProfile: {
computerNamePrefix: 'fleet'
adminUsername: adminUsername
linuxConfiguration: {
disablePasswordAuthentication: true
provisionVMAgent: true
ssh: {
publicKeys: [
{
path: '/home/azureuser/.ssh/authorized_keys'
keyData: sshPublicKey
}
]
}
}
}
storageProfile: {
imageReference: {
publisher: 'MicrosoftCblMariner'
offer: 'azure-linux-3'
sku: 'azure-linux-3-gen2'
version: 'latest'
}
osDisk: {
createOption: 'FromImage'
caching: 'ReadWrite'
managedDisk: {
storageAccountType: 'Premium_LRS'
}
}
}
networkProfile: {
networkInterfaceConfigurations: [
{
name: 'netconfig'
properties: {
ipConfigurations: [
{
name: 'ipconfig'
properties: {
primary: true
subnet: {
id: subnetId
}
}
}
]
}
}
]
}
}
}
vmSizesProfile: [
{
name: 'Standard_D8ds_v6'
rank: 0
}
]
regularPriorityProfile: {
minCapacity: 1
capacity: 5
allocationStrategy: 'Prioritized'
}
}
}
Configure with Azure template#
To deploy an Azure Fleet that passes this rule:
- Set the
properties.computeProfile.baseVirtualMachineProfile.osProfile.linuxConfiguration.disablePasswordAuthenticationproperty totrue.
For example:
Azure Template snippet
{
"type": "Microsoft.AzureFleet/fleets",
"apiVersion": "2024-11-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"computeProfile": {
"baseVirtualMachineProfile": {
"osProfile": {
"computerNamePrefix": "fleet",
"adminUsername": "[parameters('adminUsername')]",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"provisionVMAgent": true,
"ssh": {
"publicKeys": [
{
"path": "/home/azureuser/.ssh/authorized_keys",
"keyData": "[parameters('sshPublicKey')]"
}
]
}
}
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftCblMariner",
"offer": "Cbl-Mariner",
"sku": "cbl-mariner-2-gen2",
"version": "latest"
},
"osDisk": {
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": "Premium_LRS"
}
}
},
"networkProfile": {
"networkInterfaceConfigurations": [
{
"name": "netconfig",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig",
"properties": {
"primary": true,
"subnet": {
"id": "[parameters('subnetId')]"
}
}
}
]
}
}
]
}
}
},
"vmSizesProfile": [
{
"name": "Standard_D8ds_v6",
"rank": 0
}
],
"regularPriorityProfile": {
"minCapacity": 1,
"capacity": 5,
"allocationStrategy": "Prioritized"
}
}
}
Links#
- SE:08 Hardening resources
- Security: Level 2
- Azure security baseline for Linux Virtual Machines
- Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure
- Azure deployment reference