For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. SSH is deactivated by default on the hardened appliance.
SSH is an interactive command-line environment that supports remote connections to a VMware Aria Operations node. SSH requires high-privileged user account credentials. SSH activities generally bypass the role-based access control (RBAC) and audit controls of the VMware Aria Operations node.
As a best practice, deactivate SSH in a production environment and activate it only to diagnose or troubleshoot problems that you cannot resolve by other means. Leave it activated only while needed for a specific purpose and in accordance with your organization's security policies. If you activate SSH, ensure that it is protected against attack and that you activate it only for as long as required. Depending on your vSphere configuration, you can activate or deactivate SSH when you deploy your Open Virtualization Format (OVF) template.
As a simple test to determine whether SSH is activated on a machine, try to open a connection by using SSH. If the connection opens and requests credentials, then SSH is activated and is available for making connections.
Secure Shell Root User
Because VMware appliances do not include preconfigured default user accounts, the root account can use SSH to directly log in by default. Deactivate SSH as root as soon as possible.
To meet the compliance standards for nonrepudiation, the SSH server on all hardened appliances is preconfigured with the AllowGroups wheel
entry to restrict SSH access to the secondary group wheel. For separation of duties, you can modify the AllowGroups wheel
entry in the /etc/ssh/sshd_config file to use another group such as sshd.
The wheel group is activated with the pam_wheel
module for superuser access, so members of the wheel group can use the su-root command, where the root password is required. Group separation activates users to use SSH to the appliance, but not to use the su command to log in as root. Do not remove or modify other entries in the AllowGroups field, which ensures proper appliance function. After making a change, restart the SSH daemon by running the # service sshd restart
command.