VMSS password-based authentication is enabled#
Security · Virtual Machine Scale Sets · Rule · 2022_09 · Important
Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.
Description#
Linux virtual machine scale sets should have password authentication disabled to help with eliminating password-based attacks.
Recommendation#
Consider disabling password-based authentication on Linux VM scale sets and instead use public keys.
Examples#
Configure with Azure template#
To deploy an virtual machine scale set that pass this rule:
- Set the
properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication
property totrue
.
For example:
Azure Template snippet
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2024-07-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"sku": {
"name": "Standard_D8d_v5",
"tier": "Standard",
"capacity": 3
},
"properties": {
"overprovision": true,
"upgradePolicy": {
"mode": "Automatic"
},
"singlePlacementGroup": true,
"virtualMachineProfile": {
"storageProfile": {
"osDisk": {
"caching": "ReadWrite",
"createOption": "FromImage"
},
"imageReference": {
"publisher": "MicrosoftCblMariner",
"offer": "Cbl-Mariner",
"sku": "cbl-mariner-2-gen2",
"version": "latest"
}
},
"osProfile": {
"adminUsername": "[parameters('adminUsername')]",
"computerNamePrefix": "vmss-01",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"provisionVMAgent": true,
"ssh": {
"publicKeys": [
{
"path": "/home/azureuser/.ssh/authorized_keys"
}
]
}
}
},
"networkProfile": {
"networkInterfaceConfigurations": [
{
"name": "vmss-001",
"properties": {
"primary": true,
"enableAcceleratedNetworking": true,
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"primary": true,
"subnet": {
"id": "[parameters('subnetId')]"
},
"privateIPAddressVersion": "IPv4",
"loadBalancerBackendAddressPools": [
{
"id": "[parameters('backendPoolId')]"
}
]
}
}
]
}
}
]
}
}
},
"zones": [
"1",
"2",
"3"
]
}
Configure with Bicep#
To deploy an virtual machine scale set that pass this rule:
- Set the
properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication
property totrue
.
For example:
Azure Bicep snippet
resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2024-07-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
sku: {
name: 'Standard_D8d_v5'
tier: 'Standard'
capacity: 3
}
properties: {
overprovision: true
upgradePolicy: {
mode: 'Automatic'
}
singlePlacementGroup: true
virtualMachineProfile: {
storageProfile: {
osDisk: {
caching: 'ReadWrite'
createOption: 'FromImage'
}
imageReference: {
publisher: 'MicrosoftCblMariner'
offer: 'Cbl-Mariner'
sku: 'cbl-mariner-2-gen2'
version: 'latest'
}
}
osProfile: {
adminUsername: adminUsername
computerNamePrefix: 'vmss-01'
linuxConfiguration: {
disablePasswordAuthentication: true
provisionVMAgent: true
ssh: {
publicKeys: [
{
path: '/home/azureuser/.ssh/authorized_keys'
}
]
}
}
}
networkProfile: {
networkInterfaceConfigurations: [
{
name: 'vmss-001'
properties: {
primary: true
enableAcceleratedNetworking: true
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
primary: true
subnet: {
id: subnetId
}
privateIPAddressVersion: 'IPv4'
loadBalancerBackendAddressPools: [
{
id: backendPoolId
}
]
}
}
]
}
}
]
}
}
}
zones: [
'1'
'2'
'3'
]
}
Links#
- SE:08 Hardening resources
- Azure security baseline for Linux Virtual Machines
- Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure
- Azure deployment reference