Terraform Password Authentication Enabled

Description

Detects Azure Virtual Machines configured with password authentication enabled, which is less secure than SSH key-based authentication. Password authentication increases the risk of brute force attacks and credential theft compared to SSH keys.

Weakness:

015 - Insecure authentication method - Basic

Category: Protocol Manipulation

Detection Strategy

• Identifies Azure Virtual Machine resources in Terraform configuration files

• Checks if the resource is specifically of type 'azurerm_virtual_machine'

• Analyzes the resource configuration to determine if password authentication is enabled

• Reports a vulnerability when password authentication is enabled instead of SSH key-based authentication

Vulnerable code example

resource "azurerm_virtual_machine" "vm" {
  name = "test-vm"
  # ... other required fields omitted for brevity ...

  os_profile_linux_config {
    disable_password_authentication = false  # VULNERABLE: Allows weak password authentication instead of SSH keys
  }
}

✅ Secure code example

resource "azurerm_virtual_machine" "vm" {
  name = "test-vm"
  # ... other required fields omitted for brevity ...

  os_profile_linux_config {
    disable_password_authentication = true  # Enforce SSH key authentication only
    ssh_keys {
      path     = "/home/adminuser/.ssh/authorized_keys"  # Path for authorized SSH keys...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.