VM password-based authentication is enabled#
Security · Virtual Machine · Rule · 2020_06 · Important
Linux virtual machines should use public keys.
Description#
Linux virtual machines should have password authentication disabled to help with eliminating password-based attacks.
Recommendation#
Consider disabling password-based authentication on Linux virtual machines and instead use public keys.
Examples#
Configure with Azure template#
To deploy virtual machines that pass this rule:
- Set the
properties.osProfile.linuxConfiguration.disablePasswordAuthentication
property totrue
.
For example:
Azure Template snippet
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2024-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"hardwareProfile": {
"vmSize": "Standard_D8d_v5"
},
"osProfile": {
"computerName": "[parameters('name')]",
"adminUsername": "[parameters('adminUsername')]",
"linuxConfiguration": {
"disablePasswordAuthentication": true
}
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftCblMariner",
"offer": "Cbl-Mariner",
"sku": "cbl-mariner-2-gen2",
"version": "latest"
},
"osDisk": {
"name": "[format('{0}-disk0', parameters('name'))]",
"caching": "ReadWrite",
"createOption": "FromImage",
"managedDisk": {
"storageAccountType": "Premium_LRS"
}
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
}
]
}
},
"zones": [
"1"
],
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
]
}
Configure with Bicep#
To deploy virtual machines that pass this rule:
- Set the
properties.osProfile.linuxConfiguration.disablePasswordAuthentication
property totrue
.
For example:
Azure Bicep snippet
resource linux 'Microsoft.Compute/virtualMachines@2024-03-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
hardwareProfile: {
vmSize: 'Standard_D8d_v5'
}
osProfile: {
computerName: name
adminUsername: adminUsername
linuxConfiguration: {
disablePasswordAuthentication: true
}
}
storageProfile: {
imageReference: {
publisher: 'MicrosoftCblMariner'
offer: 'Cbl-Mariner'
sku: 'cbl-mariner-2-gen2'
version: 'latest'
}
osDisk: {
name: '${name}-disk0'
caching: 'ReadWrite'
createOption: 'FromImage'
managedDisk: {
storageAccountType: 'Premium_LRS'
}
}
}
networkProfile: {
networkInterfaces: [
{
id: nic.id
}
]
}
}
zones: [
'1'
]
}
Links#
- SE:08 Hardening resources
- Azure security baseline for Linux Virtual Machines
- Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure
- Azure deployment reference