Skip to content

VM password-based authentication is enabled#

Security · Virtual Machine · Rule · 2020_06 · Important

Linux virtual machines should use public keys.

Description#

Linux virtual machines should have password authentication disabled to help with eliminating password-based attacks.

Recommendation#

Consider disabling password-based authentication on Linux virtual machines and instead use public keys.

Examples#

Configure with Azure template#

To deploy virtual machines that pass this rule:

  • Set the properties.osProfile.linuxConfiguration.disablePasswordAuthentication property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.Compute/virtualMachines",
  "apiVersion": "2024-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "hardwareProfile": {
      "vmSize": "Standard_D8d_v5"
    },
    "osProfile": {
      "computerName": "[parameters('name')]",
      "adminUsername": "[parameters('adminUsername')]",
      "linuxConfiguration": {
        "disablePasswordAuthentication": true
      }
    },
    "storageProfile": {
      "imageReference": {
        "publisher": "MicrosoftCblMariner",
        "offer": "Cbl-Mariner",
        "sku": "cbl-mariner-2-gen2",
        "version": "latest"
      },
      "osDisk": {
        "name": "[format('{0}-disk0', parameters('name'))]",
        "caching": "ReadWrite",
        "createOption": "FromImage",
        "managedDisk": {
          "storageAccountType": "Premium_LRS"
        }
      }
    },
    "networkProfile": {
      "networkInterfaces": [
        {
          "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
        }
      ]
    }
  },
  "zones": [
    "1"
  ],
  "dependsOn": [
    "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
  ]
}

Configure with Bicep#

To deploy virtual machines that pass this rule:

  • Set the properties.osProfile.linuxConfiguration.disablePasswordAuthentication property to true.

For example:

Azure Bicep snippet
resource linux 'Microsoft.Compute/virtualMachines@2024-03-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    hardwareProfile: {
      vmSize: 'Standard_D8d_v5'
    }
    osProfile: {
      computerName: name
      adminUsername: adminUsername
      linuxConfiguration: {
        disablePasswordAuthentication: true
      }
    }
    storageProfile: {
      imageReference: {
        publisher: 'MicrosoftCblMariner'
        offer: 'Cbl-Mariner'
        sku: 'cbl-mariner-2-gen2'
        version: 'latest'
      }
      osDisk: {
        name: '${name}-disk0'
        caching: 'ReadWrite'
        createOption: 'FromImage'
        managedDisk: {
          storageAccountType: 'Premium_LRS'
        }
      }
    }
    networkProfile: {
      networkInterfaces: [
        {
          id: nic.id
        }
      ]
    }
  }
  zones: [
    '1'
  ]
}

Comments