Azure AD login for Linux VMs from a security perspective

Hello Azure enthusiasts,

have you heard about Azure AD login for Linux VMs, a new preview feature on Azure AD? Have you given it a try? Well, I have and currently, I’m not yet fully convinced if it’s a curse or blessing in terms of governance and security. But first things first…

Azure AD login for Linux VMs enables you to use your Azure AD accounts for SSH logins on your Azure VMs.  The value propositions according to the official documentation are improved security and seamless collaboration what makes sense if you imagine that using AAD login you can leverage all the security features including RBAC and MFA for the SSH login process on your Linux servers. All you need to do is to enable the AADLoginForLinux VM extension for your Azure VM and granting access rights to a user account using an RBAC role assignment.

To enable the extension for an existing VM you can use the following PowerShell command:

Set-AzureRmVMExtension `
-Publisher Microsoft.Azure.ActiveDirectory.LinuxSSH `
-Name AADLoginForLinux `
-ResourceGroupName myResourceGroup `
-VMName myVM `
-Location WestEurope `
-ExtensionType AADLoginForLinux `
-TypeHandlerVersion 1.0

For being allowed to login using Azure AD credentials the user account must be assigned either the Virtual Machine Administrator Login or Virtual Machine User Login RBAC role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over SSH.

$scope = (Get-AzureRmVM -ResourceGroupName LinuxSecurity -Name UbuntuVm01).id
New-AzureRmRoleAssignment `
-SignInName user@domain.com `
-RoleDefinitionName "Virtual Machine Administrator Login" `
-Scope $scope

When you then connect to your virtual machine using the following command

ssh user@domain.com@yourVM'sExternalIPAddress

you are prompted to open the page https://microsoft.com/devicelogin, enter a code you are shown in the CLI session, and then to authenticate with your Azure AD credentials.

You are prompted to perform a device login.
You are prompted to perform a device login.

It’s the same procedure you know from logins with Azure CLI for example – with all the AAD security such as MFA in place.

Linux VMs and SSH access using RSA key pairs

SSH access to Linux servers is usually not only used interactively, but also in automation tasks. By using SSH key pairs you’re able to remotely connect to a Linux server just like you were using PowerShell Remoting.

You can do so using ssh-keygen, a command-line tool that generates a public/private rsa key pair. During generation you are prompted to enter a file path (by default: /your_home/.ssh/id_rsa) and a password for the private key (not mandatory!). You then copy the public key to the Linux server’s disk and are ready to go.

Now, if you enable Azure AD login for this respective Linux VM and assign a user the Virtual Machine Administrator Login role you’d expect to have full access control to your Azure environment, including your Linux VMs. You’d expect that by removing the aforementioned RBAC role assignment you could revoke access rights to the VM(s) in scope. But that is only half the truth.

The user is able to create a key pair and copy the public key to the VM. So far, so good. But: as of now the user can connect to the Azure VM using the RSA key and no longer leveraging the AAD login mechanism:

01_sshLogin
Login attempt with an AAD user account and active RSA key pair

As you see you are no longer prompted to authenticate using the device login process but to enter the passphrase for your private key. If you remove the Azure role assignment for the user account the RSA public key on the server and the Linux user account will not  be removed so SSH access to the Linux VM will still be possible using the RSA key pair!

Make sure you care for security

To be fair I need to mention that the user will only have unpriviledged access on this server because as soon as he or she tries to run a command that needs elevated rights the device login prompt will appear again, and without the RBAC role assignment this try will fail.

02_sudo
Device login prompt after trying to run a command with elevated access on an Ubuntu 16.04 VM

But nevertheless the user is still able to connect to the server, to access and maybe to manipulate data which is a big security issue that needs to be addressed. So it’s not enough to only enable AAD login to the Linux VM; you will need to plan for user management on your Linux VM as well. At least you will need a user phase-out process in which you define how to clean up your Linux VMs in Azure. Knowing these facts will definitely help you to appropriately plan your Azure Security and Governance strategies and to avoid self-made backdoors in your Azure environments. Make sure to plan first and execute second and be aware of the fact that enabling AAD access to Linux VMs does not mean you can forget about operating system management!

During my upcoming conference tour this fall I will address this and other topics in my talks so make sure you don’t miss them.

Stay tuned and bye for now,
Tom

 

 

Author: Thomas Janetscheck

Microsoft MVP - Azure | Cloud Solutions Architect | Community Leader | Speaker

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s