Azure Linux scale uses password authentication
ID |
azure_scale_password_authentication |
Severity |
high |
Vendor |
Azure |
Resource |
VM |
Tags |
reachable |
Description
Azure Linux Scale Set should not use basic authentication.
Virtual Machine scale sets make it easy to build highly scalable applications by allowing you to effortlessly deploy and manage a set of VMs as a group. Built on the Azure Resource Manager deployment model, VM scale sets are fully integrated with Azure load balancing and autoscale and support Windows, Linux, custom images, and extensions.
The default option for a Linux scale set uses basic authentication as an access credential for the secure shell network protocol.
Using basic authentication is vulnerable to brute-force attacks or guessing of passwords, so SSH keys should be used instead.
See Create and use an SSH public-private key pair for Linux VMs in Azure to learn how to use an SSH key for authentication.
Examples
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2020-12-01",
"name": "bad", (1)
"location": "westeurope",
"sku": {
"name": "Standard_DS1_v2",
"tier": "Standard",
"capacity": 2
},
"zones": [
"1"
],
"properties": {
"singlePlacementGroup": true,
"upgradePolicy": {
"mode": "Automatic"
},
"scaleInPolicy": {
"rules": [
"Default"
]
},
"virtualMachineProfile": {
"osProfile": {
"linuxConfiguration": {
"disablePasswordAuthentication": false
},
"secrets": []
},
"storageProfile": {
"osDisk": {
"osType": "Ubuntu",
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": "StandardSSD_LRS"
},
"diskSizeGB": 127
},
"imageReference": {
"publisher": "Canonical",
"sku": "Ubuntu-18.1",
"version": "latest"
}
}
},
"overprovision": false,
"doNotRunExtensionsOnOverprovisionedVMs": false,
"platformFaultDomainCount": 5
}
}
]
}| 1 | Azure Linux Scale Set does not disable basic authentication. |
Mitigation / Fix
Buildtime
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachineScaleSets",
"apiVersion": "2020-12-01",
"name": "good", (1)
"location": "westeurope",
"sku": {
"name": "Standard_DS1_v2",
"tier": "Standard",
"capacity": 2
},
"zones": [
"1"
],
"properties": {
"singlePlacementGroup": true,
"upgradePolicy": {
"mode": "Automatic"
},
"scaleInPolicy": {
"rules": [
"Default"
]
},
"virtualMachineProfile": {
"osProfile": {
"linuxConfiguration": {
"disablePasswordAuthentication": true
},
"secrets": []
},
"storageProfile": {
"osDisk": {
"osType": "Ubuntu",
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": "StandardSSD_LRS"
},
"diskSizeGB": 127
},
"imageReference": {
"publisher": "Canonical",
"sku": "Ubuntu-18.1",
"version": "latest"
}
}
},
"overprovision": false,
"doNotRunExtensionsOnOverprovisionedVMs": false,
"platformFaultDomainCount": 5
}
}
]
}| 1 | Azure Linux Scale Set disables basic authentication. |