Microsoft Azure supports several Linux distributions, and Linux is a first-class citizen in the Azure world. When provisioning a new Linux virtual machine we have several methods to authenticate the newly created Linux VM. We can use passwords, SSH Keys, and Azure AD.
Using the traditional password method, especially when using a VM with public IP, will expose the VM to a potential brute-force attack. on the other hand, using SSH Keys for authentication helps to mitigate such risk because it eliminates the use of passwords to log in.
In this article, we will configure a Linux VM to use password and SSH Keys authentication, and then move from password to SSH Keys to improve your security.
Getting the tools
Before trying out the several types of authentication available for a Linux VM, we need to make sure that we have all tools ready to go on your desktop. For this article, it is pretty straightforward: We need to download and install the PuTTY from this location here.
The installation process is simple, and we will use it to connect to the Linux VM and also generate the SSH Keys required for SSH authentication.
By default, PuTTY will be installed under C:\Program Files\Putty, and we are going to use mainly putty.exe to connect to our VMs, and puttygen.exe to generate SSH Keys when required.
Using password authentication
When provisioning a new virtual machine using Microsoft Azure Portal, in the first section of the wizard we will define Password on the authentication type, and then we define the username and password.
Leave default settings (perhaps change the VNET in Step 3: Settings) when completing the wizard to provision the new VM. The default settings will assign a public IP to the VM and we will use that to connect remotely at this time.
After the VM is provisioned, we can click on it and on the Overview page, click on Connect and a new blade will display all the information that we need to connect to our new Linux VM under the SSH tab.
Since we are running Windows 10 in our desktop, we will be taking advantage of PuTTY to connect on the new Linux VM. Open PuTTY /em> and add the IP address provided in the previous step in the Host Name (or IP Address) field. If you use the format [email protected] then we avoid typing the username when connecting to the host.
As soon as you connect to the machine, provide the username and/or password that we defined during the provisioning of the VM, and we will have access to the console.
After logging on to the Linux VM, we can change the root password, using sudo passwd root and specifying the new password, as depicted in the image below.
Using SSH public key authentication
The first step is to generate a pair of asymmetric keys to be used with SSH authentication.
We are going to use PuTTY Key Generator to create the key pair. Run the puttygen.exe file. When generating the key, make sure to move your mouse over the blank area of the wizard, and that will generate some randomness that will be used during the creation of the new key pair.
The public key will be displayed and we are going to use that information during the VM provisioning. The next step is to define a key passphrase, and last but not least, save both keys in a secure location. We can restore this view at any time by loading any previous private key and providing the password.
Now that we have a public key in our hands, we are going to provision a new Linux VM, and we will define a username (“batman,” for example). Select SSH public key and paste the public key, and continue with the provisioning of the VM using default values.
Note: We have several options to create a key pair. Using Azure CLI for instance, we can generate the SSH key pair as part of the provisioning of the VM.
In order to connect using SSH Keys, we will need to configure the PuTTY with our private key, which is the counterpart of the public key that we inserted during the provision of the Linux VM. Expand Connection, SSH, Auth, and select the private key file.
When connecting the first time, the password is for the private key that we defined during the generation of the key pair. Pay attention that the string rsa-key-20180518 is the key comment field during the process of generating a new key pair.
If we check the file authorized_keys, we will see the public key that we defined during the provision of the VM. We can see that the content of the public key file (notepad file in our desktop) and that it is the same content on the Linux VM.
Switching from password to SSH Keys
It is crystal clear that authentication over SSH Keys is more secure than just passwords, and we are going through the process to change from a VM configured with a password to use SSH Keys.
The first step is to populate the .ssh/authorized_keys and a simple way to do that is using the following command echo “ssh-rsa <single-line-public-key>” >> ~/.ssh/authorized_keys. In case the folder or the file does not exist, we must create them.
Another important point is that the file and folder must have appropriate permissions (the last command ls -la shows that in detail).
Our next step is to try to log on using SSH Keys, which is the same procedure from the previous section. If that works we are in a good shape to stop allowing password authentication.
We are going to edit the file /etc/ssh/sshd_config and change the value from the PasswordAuthentication to no, as depicted in the image below. After that, we just need to restart the ssh service by running the following command: sudo systemctl restart ssh
To test our solution, we can try to log on using passwords that used to work. However, at this time we should be getting an error similar to this one.
Your Linux VM is ready!
Congratulations! Not only have you successfully configured a Linux VM in Microsoft Azure, but you have bumped up your security with SSH Keys.