none
ASR with Linux Root Account - Security Concern? Alternatives?

    Question

  • In Azure Site Recovery (ASR), for a physical-to-Azure failover involving Linux machines, Microsoft documentation states that:

    To install automatically, you need to prepare an account that Site Recovery will use to access the server. For Linux, the account should be root on the source Linux server.

    This root account is presumably:

    • Username: root
    • Password: <password of root>

    For root authentication with a password account to work over SSH, the additional settings need to be modified in /etc/ssh/sshd_config (source here).

    PermitRootLogin yes

    PasswordAuthentication yes

    Is this not a massive security threat for Linux? To allow (over SSH) password authentication (instead of using SSH keys) on the root account (for which an attacker no longer needs to guess the username, as the username 'root' will do)?

    Is there an alternative with using ASR for physical Linux machines?


    Friday, January 11, 2019 5:04 AM

Answers

  • We need the root account to be able to install the mobility service on the Linux machines which coordinates and sends the replication data. We hear your feedback and appreciate you reaching out to us. One option is to manually install the agent. Also, please be assured that the password is stored within your premises as part of the OVF set up, and encrypted and should be in line with your security guidelines.

    Monday, January 14, 2019 9:32 AM
    Moderator

All replies

  • Hi CharlieBrownMSDN, we are investigating this internally and will get back to with a response soon.
    Saturday, January 12, 2019 1:37 AM
    Moderator
  • To avoid this, you can install the agent on the Linux machine manually and during enable protection it will verify and skip it.
    Monday, January 14, 2019 1:19 AM
  • It's supported based on the latest blog @ https://azure.microsoft.com/en-us/blog/new-azure-migrate-and-azure-site-recovery-enhancements-for-cloud-migration/

    Try upgrading to the latest agent and check this..


    • Edited by Mara Ram Monday, January 14, 2019 7:15 AM
    • Proposed as answer by Mara Ram Monday, January 14, 2019 7:15 AM
    Monday, January 14, 2019 7:15 AM
  • We need the root account to be able to install the mobility service on the Linux machines which coordinates and sends the replication data. We hear your feedback and appreciate you reaching out to us. One option is to manually install the agent. Also, please be assured that the password is stored within your premises as part of the OVF set up, and encrypted and should be in line with your security guidelines.

    Monday, January 14, 2019 9:32 AM
    Moderator