Check for SSH Authentication Type

Risk Level: High (act today)

Rule ID: VirtualMachines-007

Ensure that your production Microsoft Azure virtual machines are configured to use SSH keys instead of username/password credentials for SSH authentication.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Using SSH keys instead of common credentials (i.e. username and password) represents the best way to secure your Linux virtual machines against malicious activities such as brute-force attacks, by providing a level of authorization that can only be fulfilled by privileged users who have ownership to the private key associated with the public key created on these virtual machines. An attacker may be able to get access to the virtual machine’s public key, but without the associated private key, he/she will be unable to gain shell access to the server.

Audit

To determine if your Azure Linux virtual machines are configured to use SSH keys, perform the following actions:

Note: Getting Azure virtual machine's SSH authentication type using Microsoft Azure Management Console is not currently supported.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) deployed in the current Azure subscription:

az vm list
    --query '[*].id'

02 The command output should return the requested virtual machine identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-gateway-app-server",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-server"
]

03 Run vm show command (Windows/macOS/Linux) using the ID of the virtual machine that you want to examine as identifier parameter and custom query filters to obtain the SSH password authentication status for the selected Azure virtual machine (VM):

az vm show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-gateway-app-server"
    --query 'osProfile.linuxConfiguration.disablePasswordAuthentication'

04 The command output should return the requested password authentication status:

false

If the vm show command output returns false, as shown in the example above, the SSH authentication type for the selected Microsoft Azure virtual machine is password-based, therefore the SSH authentication method configured for the specified VM is not secure.

05 Repeat step no. 3 and 4 for each Azure virtual machine (VM) available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To reconfigure your password-based Microsoft Azure Linux virtual machines to use keys for SSH authentication, you have to re-create the virtual machines. To redeploy the appropriate virtual machines (VMs) with the right SSH configuration, perform the following actions:

Note: Enabling SSH key-based authentication for Linux virtual machines using Microsoft Azure Management Console is not currently supported.

Using Azure Console

01 Connect to the Azure Linux virtual machine that you want to reconfigure using your preferred SSH client and run the following command to deprovision the selected VM by using the Azure virtual machine agent to delete machine-specific data and clean the system to make it suitable for reprovisioning:

sudo waagent -deprovision -force

02 The command output should return the following confirmation message:

WARNING! The waagent service will be stopped.
WARNING! Cached DHCP leases will be deleted.
WARNING! root password will be disabled. You will not be able to login as root.
WARNING! /etc/resolv.conf will NOT be removed.

03 Run vm deallocate command (Windows/macOS/Linux) to deallocate/shutdown the Azure virtual machine that you want to re-create – see Audit section part II to identify the right VM (the command does not produce an output):

az vm deallocate
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-gateway-app-server"

04 Run vm generalize command (Windows/macOS/Linux) to mark the selected Azure virtual machine as generalized, allowing it to be imaged for multiple deployments (the command does not return an output):

az vm generalize
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-gateway-app-server"

05 Run image create command (Windows/macOS/Linux) using the ID of the virtual machine that you want to redeploy as --source parameter to create an image for the selected Azure VM:

az image create
    --name cc-gateway-app-server-image --resource-group cloud-shell-storage-westeurope
    --source "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-gateway-app-server"

06 The command output should return the new image configuration metadata:

{
  "hyperVgeneration": "V1",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/images/cc-gateway-app-server-image",
  "location": "westeurope",
  "name": "cc-gateway-app-server-image",
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sourceVirtualMachine": {
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-gateway-app-server",
    "resourceGroup": "CLOUD-SHELL-STORAGE-WESTEUROPE"
  },
  "storageProfile": {
    "dataDisks": [],
    "osDisk": {
      "blobUri": null,
      "caching": "ReadWrite",
      "diskSizeGb": 100,
      "managedDisk": {
        "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/disks/cc-gateway-app-server_disk1_01234567890",
        "resourceGroup": "cloud-shell-storage-westeurope"
      },
      "osState": "Generalized",
      "osType": "Linux",
      "snapshot": null,
      "storageAccountType": "Premium_LRS"
    },
    "zoneResilient": null
  },
  "tags": {},
  "type": "Microsoft.Compute/images"
}

07 Run vm create command (Windows/macOS/Linux) to create and deploy your new Microsoft Azure virtual machine using the VM image created at the previous steps. Use --generate-ssh-keys parameter to generate the SSH public and private key (i.e. 'id_rsa.pub' and 'id_rsa') required for SSH authentication:

az vm create
    --resource-group cloud-shell-storage-westeurope
    --name cc-gateway-app-server-secured
    --image cc-gateway-app-server-image
    --admin-username cc-azure-user
    --generate-ssh-keys

08 The command output should return the vm create command request metadata:

SSH key files '/home/cloud/.ssh/id_rsa' and '/home/cloud/.ssh/id_rsa.pub' have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location.
{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-gateway-app-server-secured",
  "location": "westeurope",
  "macAddress": "00-11-22-33-44-55",
  "powerState": "VM running",
  "privateIpAddress": "10.0.1.10",
  "publicIpAddress": "192.164.5.120",
  "resourceGroup": "cloud-shell-storage-westeurope"
}

09 Run vm delete command (Windows/macOS/Linux) to terminate the source (old) Azure virtual machine in order to stop incur service charges (the command does not produce an output):

SSH key files '/home/cloud/.ssh/id_rsa' and '/home/cloud/.ssh/id_rsa.pub' have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location.
az vm delete
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-gateway-app-server"
    --no-wait
    --yes

10 If required, repeat steps no. 1 – 9 for each Azure virtual machine deployed in the current subscription.

11 Repeat steps no. 1 – 10 for each subscription available within your Microsoft Azure cloud account.

References

Publication date Jun 24, 2020

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing: