CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00508
- creditSnyk Research Team
Description
Password authentication is less resistant to brute force and educated guess attacks than SSH public key authentication.
How to fix?
Set properties.osProfile.linuxConfiguration.disablePasswordAuthentication attribute to true or remove the attribute.
Set the disable_password_authentication (azurerm_linux_virtual_machine) or os_profile_linux_config.disable_password_authentication (azurerm_virtual_machine) attribute to true.
Example Configuration
# azurerm_linux_virtual_machine example
resource "azurerm_linux_virtual_machine" "allowed" {
name = "example-machine"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
size = "Standard_F2"
network_interface_ids = [
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkInterfaces/test-nic",
]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
admin_username = "myusername"
disable_password_authentication = true
}
# azurerm_virtual_machine example
resource "azurerm_virtual_machine" "allowed" {
name = "example-machine"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
vm_size = "Standard_F2"
network_interface_ids = [
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkInterfaces/test-nic",
]
storage_os_disk {
name = "myosdisk1"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile_linux_config {
disable_password_authentication = true
}
}