Fixing "Authentication to Linux machines should require SSH keys"

Question

I have many Linux VMs running Centos 7.8 that are currently failing on this policy.Policy source is&nbsp;https://github.com/Azure/azure-policy/blob/58fcf068ecb5e96d23958d9799cf872e687a1a4a/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json&nbsp;and the "then" clause is:&nbsp;&nbsp;&nbsp;      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
          "name": "LinuxNoPasswordForSSH",
          "existenceCondition": {
            "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus",
            "equals": "Compliant"
          }
        }
      }&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;My VMs are configured as follows without the "guestConfiguration" but with password login disabled.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
  "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/virtualMachines/REDACTED",
  "name": "REDACTED",
  "type": "Microsoft.Compute/virtualMachines",
  "location": "westeurope",
  "tags": {
    ...
  },
  "properties": {
    "vmId": "REDACTED",
    "hardwareProfile": {
      "vmSize": "Standard_B1ms"
    },
    "storageProfile": {
      "imageReference": {
        "publisher": "OpenLogic",
        "offer": "CentOS",
        "sku": "7_8",
        "version": "7.8.2021020400",
        "exactVersion": "7.8.2021020400"
      },
      "osDisk": {
        "osType": "Linux",
        "name": "REDACTED",
        "createOption": "FromImage",
        "caching": "ReadOnly",
        "managedDisk": {
          "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/disks/REDACTED"
        },
        "deleteOption": "Detach"
      },
      "dataDisks": [
        {
          "lun": 0,
          "name": "REDACTED",
          "createOption": "Empty",
          "caching": "ReadOnly",
          "managedDisk": {
            "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/disks/REDACTED"
          },
          "deleteOption": "Detach",
          "toBeDetached": false
        }
      ]
    },
    "osProfile": {
      "computerName": "REDACTED",
      "adminUsername": "REDACTED",
      "linuxConfiguration": {
        "disablePasswordAuthentication": true,
        "ssh": {
          "publicKeys": [
            {
              "path": "REDACTED",
              "keyData": "REDACTED"
            }
          ]
        },
        "provisionVMAgent": true,
        "patchSettings": {
          "patchMode": "ImageDefault",
          "assessmentMode": "ImageDefault"
        },
        "enableVMAgentPlatformUpdates": false
      },
      "secrets": [],
      "allowExtensionOperations": true
    },
    "networkProfile": {
      "networkInterfaces": [
        {
          "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/networkInterfaces/REDACTED",
          "properties": {
            "primary": true
          }
        }
      ]
    },
    "provisioningState": "Succeeded",
    "timeCreated": "2023-01-16T00:14:48.5932025+00:00"
  },
  "resources": [
    {
      "name": "LinuxAgent.AzureSecurityCenter",
      "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/virtualMachines/REDACTED/extensions/LinuxAgent.AzureSecurityCenter",
      "type": "Microsoft.Compute/virtualMachines/extensions",
      "location": "westeurope",
      "properties": {
        "autoUpgradeMinorVersion": false,
        "provisioningState": "Succeeded",
        "publisher": "Qualys",
        "type": "LinuxAgent.AzureSecurityCenter",
        "typeHandlerVersion": "1.0",
        "settings": {
          "LicenseCode": "REDACTED",
          "GrayLabel": {
            "CustomerID": "REDACTED",
            "ResourceID": "REDACTED"
          }
        }
      }
    },
    {
      "name": "OmsAgentForLinux",
      "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/virtualMachines/REDACTED/extensions/OmsAgentForLinux",
      "type": "Microsoft.Compute/virtualMachines/extensions",
      "location": "westeurope",
      "properties": {
        "autoUpgradeMinorVersion": true,
        "provisioningState": "Succeeded",
        "enableAutomaticUpgrade": false,
        "publisher": "Microsoft.EnterpriseCloud.Monitoring",
        "type": "OmsAgentForLinux",
        "typeHandlerVersion": "1.0",
        "settings": {
          "workspaceId": "REDACTED"
        }
      }
    }
  ]
}&nbsp;&nbsp;&nbsp;What is the added value of having guest configuration in this case and how to deploy the resources needed to comply with this policy?&nbsp;I deploy VMs using Ansible

kidd_ip · Answer

Azure Policy on its own cannot directly evaluate operating system–level configurations. To achieve compliance with the “Authentication to Linux machines should require SSH keys” requirement, we may be required to enable the deployment of the Azure Guest Configuration extension. This extension performs in‑guest audits of the SSH configuration, ensuring that password authentication is disabled and that only key‑based authentication is permitted.
&nbsp;
https://learn.microsoft.com/en-us/rest/api/guestconfiguration/
&nbsp;
https://learn.microsoft.com/en-us/azure/osconfig/quickstart-sec-baseline-mc?tabs=azure-cli
&nbsp;
https://github.com/Azure/azure-policy/blob/58fcf068ecb5e96d23958d9799cf872e687a1a4a/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json
&nbsp;

Forum Discussion

Fixing "Authentication to Linux machines should require SSH keys"

1 Reply