Hello Azure enthusiasts,
have you heard about Azure AD login for Linux VMs, a new preview feature on Azure AD? Have you given it a try? Well, I have and currently, I’m not yet fully convinced if it’s a curse or blessing in terms of governance and security. But first things first…
Azure AD login for Linux VMs enables you to use your Azure AD accounts for SSH logins on your Azure VMs. The value propositions according to the official documentation are improved security and seamless collaboration what makes sense if you imagine that using AAD login you can leverage all the security features including RBAC and MFA for the SSH login process on your Linux servers. All you need to do is to enable the AADLoginForLinux VM extension for your Azure VM and granting access rights to a user account using an RBAC role assignment.
To enable the extension for an existing VM you can use the following PowerShell command:
Set-AzureRmVMExtension ` -Publisher Microsoft.Azure.ActiveDirectory.LinuxSSH ` -Name AADLoginForLinux ` -ResourceGroupName myResourceGroup ` -VMName myVM ` -Location WestEurope ` -ExtensionType AADLoginForLinux ` -TypeHandlerVersion 1.0
For being allowed to login using Azure AD credentials the user account must be assigned either the Virtual Machine Administrator Login or Virtual Machine User Login RBAC role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over SSH.
$scope = (Get-AzureRmVM -ResourceGroupName LinuxSecurity -Name UbuntuVm01).id New-AzureRmRoleAssignment ` -SignInName email@example.com ` -RoleDefinitionName "Virtual Machine Administrator Login" ` -Scope $scope
When you then connect to your virtual machine using the following command
you are prompted to open the page https://microsoft.com/devicelogin, enter a code you are shown in the CLI session, and then to authenticate with your Azure AD credentials.
It’s the same procedure you know from logins with Azure CLI for example – with all the AAD security such as MFA in place.
Linux VMs and SSH access using RSA key pairs
SSH access to Linux servers is usually not only used interactively, but also in automation tasks. By using SSH key pairs you’re able to remotely connect to a Linux server just like you were using PowerShell Remoting.
You can do so using ssh-keygen, a command-line tool that generates a public/private rsa key pair. During generation you are prompted to enter a file path (by default: /your_home/.ssh/id_rsa) and a password for the private key (not mandatory!). You then copy the public key to the Linux server’s disk and are ready to go.
Now, if you enable Azure AD login for this respective Linux VM and assign a user the Virtual Machine Administrator Login role you’d expect to have full access control to your Azure environment, including your Linux VMs. You’d expect that by removing the aforementioned RBAC role assignment you could revoke access rights to the VM(s) in scope. But that is only half the truth.
The user is able to create a key pair and copy the public key to the VM. So far, so good. But: as of now the user can connect to the Azure VM using the RSA key and no longer leveraging the AAD login mechanism:
As you see you are no longer prompted to authenticate using the device login process but to enter the passphrase for your private key. If you remove the Azure role assignment for the user account the RSA public key on the server and the Linux user account will not be removed so SSH access to the Linux VM will still be possible using the RSA key pair!
Make sure you care for security
To be fair I need to mention that the user will only have unpriviledged access on this server because as soon as he or she tries to run a command that needs elevated rights the device login prompt will appear again, and without the RBAC role assignment this try will fail.
But nevertheless the user is still able to connect to the server, to access and maybe to manipulate data which is a big security issue that needs to be addressed. So it’s not enough to only enable AAD login to the Linux VM; you will need to plan for user management on your Linux VM as well. At least you will need a user phase-out process in which you define how to clean up your Linux VMs in Azure. Knowing these facts will definitely help you to appropriately plan your Azure Security and Governance strategies and to avoid self-made backdoors in your Azure environments. Make sure to plan first and execute second and be aware of the fact that enabling AAD access to Linux VMs does not mean you can forget about operating system management!
During my upcoming conference tour this fall I will address this and other topics in my talks so make sure you don’t miss them.
Stay tuned and bye for now,
3 thoughts on “Azure AD login for Linux VMs from a security perspective”
User management for Linux has traditionally been handled by the Name Service Switch service, which queries the passwd, group, shadow databases respectively.
While AADLoginForLinux does support authentication for OpenSSH, it is only part of the solution. Not to mention, it only works on Azure.
I have recently written a set of plugins and modules for libnss, pam, and openvpn to authenticate against the Azure Active Directory. All of which are licensed under the GPLv3. They can be run on any cloud, or on-premise.
I’d appreciate if you could test them out and let me know how they work for you.
LikeLiked by 1 person