Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0081

A Linux VM accepting SSH passwords puts brute-forceable credentials on the internet's most attacked port

The Linux VM was deployed with disablePasswordAuthentication set to false, so sshd accepts passwords: guessable, reusable, phishable credentials with no MFA in front of them.

Footgun ID
AZF-0081 (Azure Footgun No. 81)
Azure service
Azure Virtual Machines
Resource type
Microsoft.Compute/virtualMachines
Updated
July 9, 2026

What it is

A Linux virtual machine whose osProfile.linuxConfiguration.disablePasswordAuthentication property is false, meaning SSH accepts password logins. Password authentication over SSH is the primary vector for internet-facing Linux VM compromise: passwords get guessed, reused across systems, and hammered by automated brute-force campaigns that scan the entire IPv4 space continuously.

Impact (security)
One guessed or reused password is an interactive shell on the VM; port 22 is brute-forced around the clock
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Every Azure deployment path offers passwords as a first-class choice. az vm create --admin-password sets it, quick-create portal flows accept it, and plenty of teams pick it because a password feels simpler than generating and distributing SSH keys, especially when the person creating the VM comes from a Windows-and-RDP habit.

The choice then fossilizes. The flag is set at deployment, nothing complains afterward, and the VM works fine every day, so there's no trigger to revisit it. Meanwhile sshd sits there accepting an unlimited stream of password guesses with no lockout, no MFA, and no identity provider involved: authentication is whatever nine characters the admin picked in 2023.

What it costs / blast radius

There is no dollar figure here; the exposure is the credential class itself.

  • If the VM is reachable from the internet (see AZF-0097), automated scanners find port 22 within minutes and brute-force it indefinitely. One weak, reused, or leaked password yields an interactive shell.
  • A compromised shell is rarely the end state: typical follow-ons are cryptominers on your compute bill, credential harvesting from the box, and lateral movement to whatever the VM can reach.
  • Even a VM with no public IP is a soft target for lateral brute force once anything else in the network is compromised.

SSH keys remove the entire attack class: nothing to guess, nothing to reuse, nothing to phish. (Authored assessment of Azure and sshd behavior, not measured data.)

See it

Footgun: the VM accepts SSH password logins
resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
  name: 'vm-app-01'
  location: location
  properties: {
    osProfile: {
      computerName: 'vm-app-01'
      adminUsername: 'azureuser'
      adminPassword: adminPassword
      linuxConfiguration: {
        disablePasswordAuthentication: false  // sshd takes password guesses
      }
    }
    // ...
  }
}
Fix: SSH key authentication only
resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
  name: 'vm-app-01'
  location: location
  properties: {
    osProfile: {
      computerName: 'vm-app-01'
      adminUsername: 'azureuser'
      linuxConfiguration: {
        disablePasswordAuthentication: true
        ssh: {
          publicKeys: [
            {
              path: '/home/azureuser/.ssh/authorized_keys'
              keyData: sshPublicKey
            }
          ]
        }
      }
    }
    // ...
  }
}

// Existing VM: distribute keys, then enforce inside the guest by
// setting 'PasswordAuthentication no' in sshd_config and reloading sshd.

How StratoLens helps

StratoLens flags every Linux VM that still accepts SSH passwords, automatically and continuously, across all of your subscriptions, inside your own tenant. Password-auth VMs stop being an unknown, so you can retire the risky pairing of guessable credentials and reachable ports before it gets a machine compromised.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.