What it is
A Linux virtual machine whose osProfile.linuxConfiguration.disablePasswordAuthentication property is false, meaning SSH accepts password logins. Password authentication over SSH is the primary vector for internet-facing Linux VM compromise: passwords get guessed, reused across systems, and hammered by automated brute-force campaigns that scan the entire IPv4 space continuously.
Why it happens
Every Azure deployment path offers passwords as a first-class choice. az vm create --admin-password sets it, quick-create portal flows accept it, and plenty of teams pick it because a password feels simpler than generating and distributing SSH keys, especially when the person creating the VM comes from a Windows-and-RDP habit.
The choice then fossilizes. The flag is set at deployment, nothing complains afterward, and the VM works fine every day, so there's no trigger to revisit it. Meanwhile sshd sits there accepting an unlimited stream of password guesses with no lockout, no MFA, and no identity provider involved: authentication is whatever nine characters the admin picked in 2023.
What it costs / blast radius
There is no dollar figure here; the exposure is the credential class itself.
- If the VM is reachable from the internet (see AZF-0097), automated scanners find port 22 within minutes and brute-force it indefinitely. One weak, reused, or leaked password yields an interactive shell.
- A compromised shell is rarely the end state: typical follow-ons are cryptominers on your compute bill, credential harvesting from the box, and lateral movement to whatever the VM can reach.
- Even a VM with no public IP is a soft target for lateral brute force once anything else in the network is compromised.
SSH keys remove the entire attack class: nothing to guess, nothing to reuse, nothing to phish. (Authored assessment of Azure and sshd behavior, not measured data.)
See it
resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
name: 'vm-app-01'
location: location
properties: {
osProfile: {
computerName: 'vm-app-01'
adminUsername: 'azureuser'
adminPassword: adminPassword
linuxConfiguration: {
disablePasswordAuthentication: false // sshd takes password guesses
}
}
// ...
}
}resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
name: 'vm-app-01'
location: location
properties: {
osProfile: {
computerName: 'vm-app-01'
adminUsername: 'azureuser'
linuxConfiguration: {
disablePasswordAuthentication: true
ssh: {
publicKeys: [
{
path: '/home/azureuser/.ssh/authorized_keys'
keyData: sshPublicKey
}
]
}
}
}
// ...
}
}
// Existing VM: distribute keys, then enforce inside the guest by
// setting 'PasswordAuthentication no' in sshd_config and reloading sshd.How StratoLens helps
StratoLens flags every Linux VM that still accepts SSH passwords, automatically and continuously, across all of your subscriptions, inside your own tenant. Password-auth VMs stop being an unknown, so you can retire the risky pairing of guessable credentials and reachable ports before it gets a machine compromised.