You edit the /etc/ssh/sshd_config file on all the hosts to disable login as the root user, disallow compression, and disable port forwarding for the SSH daemon. You also enable secure boot and disable the OpenSLP service.

You perform the procedure from an SSH session connected to the ESXi host and on all the ESXi hosts in the management domain.

Procedure

  1. Log in to an ESXi host by using a Secure Shell (SSH) client with the root user.​
  2. Open the VI editor to add or edit the settings in /etc/ssh/sshd_config.

    vi /etc/ssh/sshd_config

    1. NIST80053-VI-ESXi-CFG-00005 In the VI editor, add or correct the following line to disable login as the root user.

      PermitRootLogin no

    2. NIST80053-VI-ESXi-CFG-00012 In the VI editor, add or correct the following line to disallow compression for the ESXi host SSH daemon.

      Compression no

    3. NIST80053-VI-ESXi-CFG-01111 Add or correct the following line to disable port forwarding for the ESXi host SSH daemon.

      AllowTcpForwarding no

    4. Save and close the VI editor.
    5. Restart the SSH service to apply the new configurations.

      /etc/init.d/SSH restart

  3. NIST80053-VI-ESXi-CFG-01108 Enable secure boot on the host.

    # /usr/lib/vmware/secureboot/bin/secureBoot.py -c

    Note:

    If the imaging appliance (VIA) is used to image the ESXi hosts it currently does not support UEFI which is a requirement for enabling secure boot. ESXi installations done through other methods are supported and can enable UEFI/secure boot.

    If the output indicates that Secure Boot cannot be enabled, correct the discrepancies and try again.

  4. NIST80053-VI-ESXi-CFG-01112 Disable the OpenSLP service on the host.
    # /etc/init.d/slpd stop
    # esxcli network firewall ruleset set -r CIMSLP -e 0
    # chkconfig slpd off
  5. Perform the procedure on the remaining hosts in the management domain.