Ensure Azure instance authenticates using SSH keys

Error: Azure instance does not authenticate using SSH keys

Bridgecrew Policy ID: BC_AZR_NETWORKING_1
Checkov Check ID: CKV_AZURE_1
Severity: HIGH

Azure instance does not authenticate using SSH keys

Description

SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Using secure shell (SSH) key pair, it is possible to spin up a Linux virtual machine on Azure that defaults to using SSH keys for authentication, eliminating the need for passwords to sign in.

We recommend connecting to a VM using SSH keys. Using basic authentication with SSH connections leaves VMs vulnerable to brute-force attacks or guessing of passwords.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Enter virtual machines in the search bar.
  3. Under Services, select Virtual machines.
  4. Under Administrator account, select SSH public key.
  5. For SSH public key source, use the default Generate new key pair, then for Key pair name enter myKey.
  6. Under Inbound port rules > Public inbound ports, select Allow selected ports, then select SSH (22) and HTTP (80) from the drop-down.
  7. Leave the remaining defaults settings. At the bottom of the page click Review + create.

CLI Command

The --generate-ssh-keys parameter is used to automatically generate an SSH key, and put it in the default key location (~/.ssh).

az vm create \
  --resource-group myResourceGroup \
  --name myVM \
  --image UbuntuLTS \
  --admin-username azureuser \
  --generate-ssh-keys

Fix - Buildtime

Terraform

  • Resource: azurerm_linux_virtual_machine
  • Argument: admin_ssh_key
resource "azurerm_linux_virtual_machine" "example" {
  ...

+  admin_ssh_key {
    username   = "adminuser"
    public_key = file("~/.ssh/id_rsa.pub")
  }

ARM Template

  • Resource: Microsoft.Compute/virtualMachines
  • Argument: disablePasswordAuthentication
...
      "linuxConfiguration": {
+       "disablePasswordAuthentication": "true",
        "ssh": {
          "publicKeys": [
            {
              "path": "string",
              "keyData": "string"
            }
          ]
 ...