Linux虚拟机需要Azure AD登录
[英]Require Azure AD Login on Linux VM
问题描述
I followed setup guide from MS document: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux
我遵循了 MS 文档中的设置指南: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux
Everything works except one thing, if I do ssh from different client (Azure requires CLI for AAD login) I can still log in to the Linux servers with a local account.一切正常,除了一件事,如果我从不同的客户端执行 ssh(Azure 需要 CLI 进行 AAD 登录),我仍然可以使用本地帐户登录到 Linux 服务器。 The document above says: "Use Azure deploy and audit policies to require Azure AD login for Linux VMs and flag non-approved local accounts" but I am totally getting the runaround about how to REQUIRE logins be only through AAD credentials.上面的文档说:“使用 Azure 部署和审核策略要求 Linux VM 的 Azure AD 登录并标记未批准的本地帐户”但我完全了解如何仅通过 AAD 凭据要求登录。 I've had a support ticket open for 6 weeks and have gone through 4 different support groups with no success.我有一张支持票开放了 6 周,并通过了 4 个不同的支持小组,但都没有成功。
I need this for SOC2 compliance and given that Azure has documentation that their services are SOC2 compliant, I cant imagine this is not achievable.我需要这个来满足 SOC2 合规性,并且鉴于 Azure 有文档表明他们的服务符合 SOC2 标准,我无法想象这是无法实现的。 Does anyone know how to force Linux servers to only permit ADD credentials for login?有谁知道如何强制 Linux 服务器只允许添加凭据进行登录?
1 个解决方案
解决方案1
0 2022-04-22 11:21:29
To force Linux servers to only permit ADD credentials for login, try the below mentioned solution to be implemented in your Azure subscription:要强制 Linux 服务器仅允许添加凭据进行登录,请尝试在您的 Azure 订阅中实施以下解决方案:
Kindly deploy the below Azure policy definitions with the resource group as the scope to disallow local login for Linux VM:请部署以下 Azure 策略定义,资源组为 scope,以禁止 Linux VM 的本地登录:
Go to Azure portal -> Search Azure policy -> Definition -> Select the appropriate scope -> select the definition type as policy -> select the category as guest configuration -> select the below policies Go 到 Azure 入口 -> 搜索 Azure 策略 -> 定义 -> Select 相应的 scope -> select 定义类型为策略 -> select 类别为 guest27 -> 8127421100888 下面的策略 8100888 配置
- Linux machines should only have local accounts that are allowed Linux 机器应该只有允许的本地帐户
Assign the policy to the required scope and ensure to mention/do not mention the required local accounts in Linux VM for that scope under the parameters tab.将策略分配给所需的 scope,并确保在参数选项卡下为该 scope 提及/不提及 Linux VM 中所需的本地帐户。
- Authentication to Linux machine should require SSH keys对 Linux 机器的身份验证应该需要 SSH 密钥
Assign the policy to the required scope and ensure to select the effect ' Auditifnotexists ' under the parameters tab.将策略分配给所需的 scope 并确保对 select 参数选项卡下的效果 ' Auditifnotexists '。
Note:笔记:
Ensure to uncheck the option for 'Only show parameters that need input or review'.确保取消选中“仅显示需要输入或查看的参数”选项。 So that you will be able to mention the allowed local accounts in parameters.这样您就可以在参数中提及允许的本地帐户。
For more in detail, please refer below link:更多详细信息,请参考以下链接:
Built-in policy definitions for Azure Virtual Machines - Azure Virtual Machines | Azure 虚拟机的内置策略定义 - Azure 虚拟机 | Microsoft Docs . 微软文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.