You must edit the /etc/ssh/sshd_config file on all your hosts to reconfigure the SSH service. You also remove the authorized_keys file on all ESXi hosts and edit the /etc/pam.d/passwd file to configure password settings. Before you can log in to a host and change the configuration file, you must disable lockdown mode.

You perform the procedure on all ESXi hosts in Region B.

1. In a Web browser, log in to vCenter Server by using the vSphere Client.

   Settings	Value
   URL	https://lax01m01vc01.lax01.rainpole.local/ui
   User name	administrator@vsphere.local
   Password	vsphere_admin_password

2. Disable lockdown mode on the lax01m01esx01.sfo01.rainpole.local host.
   1. In the Hosts and Clusters inventory, expand the entire lax01m01vc01.lax01.rainpole.local tree.
   2. Under the lax01-m01dc data center, select the lax01m01esx01.lax01.rainpole.local host object and click the Configure tab.
   3. Click the Security Profile tab on the right.
   4. Under Lockdown Mode, click Edit.
   5. In the Lockdown Mode dialog box, select Disabled and click OK.
3. Log in to the lax01m01esx01.sfo01.rainpole.local ESXi host by using a Secure Shell (SSH) client.

   Setting	Value
   FQDN	lax01m01esx01.lax01.rainpole.local
   User name	root
   Password	root_user_password

4. Rename the existing sshd_config file for backup.

   mv /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

5. Create a new sshd_config file in the /etc/ssh folder with the NIST 800-53 configurations.

   Table 1. Configurations to Perform

   Configuration ID	Description
   NIST80053-VI-ESXI-CFG-00001	Use only FIPS-approved algorithms for encryption.
   NIST80053-VI-ESXI-CFG-00003	Set the IgnoreRhosts option to yes to force users to enter a password when authenticating with SSH.
   NIST80053-VI-ESXI-CFG-00004	Set the HostbasedAuthentication option to no to disable authentication through trusted hosts.
   NIST80053-VI-ESXI-CFG-00005	Set the PermitRootLogin option to no to disable SSH access for the root user.
   NIST80053-VI-ESXI-CFG-00006	Set the PermitEmptyPasswords option to no to prevent users with blank password from using SSH.
   NIST80053-VI-ESXI-CFG-00007	Set the PermitUserEnvironment option to no to forbid users presenting environment options to the SSH deamon.
   NIST80053-VI-ESXI-CFG-00009	Set the GSSAPIAuthentication option to no to disable GSSAPI authentication.
   NIST80053-VI-ESXI-CFG-00010	Set the KerberosAuthentication to no to disable the Kerberos protocol.
   NIST80053-VI-ESXI-CFG-00011	Set the StrictModes option to yes to force permissions checks on keyfiles and directories.
   NIST80053-VI-ESXI-CFG-00012	Set the Compression option to no to deny compression proir to a successful user authentication.
   NIST80053-VI-ESXI-CFG-00013	Set the GatewayPorts option to no to prevent connecting to forwarded ports from outside the host.
   NIST80053-VI-ESXI-CFG-00015	Delete all values for AcceptEnv to reject environment variables from the client.
   NIST80053-VI-ESXI-CFG-00016	Set the PermitTunnel option to no to prevent the SSH daemon the ability to create network tunnels over an SSH connection.
   NIST80053-VI-ESXI-CFG-00017	Set the ClientAliveCountMax option to 3 as the total number of checkalive messages sent by the SSH server without response by the SSH client.
   NIST80053-VI-ESXI-CFG-00019	Set the MaxSessions option to 1 as the maximum number of open sessions permitted per network connection.

   1. Open the VI editor to add a new sshd_config file in /etc/ssh.

      vi /etc/ssh/sshd_config

   2. In the VI editor, enter the configurations to the sshd_config file.

      # Version 6.7.2.0
      # running from inetd
      # Port 2200
      
      HostKey /etc/ssh/ssh_host_rsa_key
      HostKey /etc/ssh/ssh_host_dsa_key
      Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
      Protocol 2
      IgnoreRhosts yes
      HostbasedAuthentication no
      PermitRootLogin no
      PermitEmptyPasswords no
      PermitUserEnvironment no
      MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512
      GSSAPIAuthentication no
      KerberosAuthentication no
      StrictModes yes
      Compression no
      GatewayPorts no
      X11Forwarding no
      AcceptEnv
      PermitTunnel no
      ClientAliveCountMax 3
      ClientAliveInterval 200
      MaxSessions 1
      UsePrivilegeSeparation no
      SyslogFacility auth
      LogLevel info
      PrintMotd yes
      PrintLastLog no
      TCPKeepAlive yes
      Banner /etc/issue

   3. Save and close the VI editor.
   4. Restart the SSH service to apply the new configurations.

      /etc/init.d/SSH restart

6. NIST80053-VI-ESXI-CFG-00107 Remove the SSH authorized_keys file from /etc/ssh/keys-root/.

   rm /etc/ssh/keys-root/authorized_keys

7. NIST80053-VI-ESXI-CFG-00109 Configure the value of the remember option to 5 in the /etc/pam.d/passwd file to restrict the reuse of the last five passwords.NIST80053
   1. Open the VI editor to to edit the /etc/pam.d/passwd file.

      vi /etc/pam.d/passwd

   2. Add remember=5 at the end of the password sufficient line in the file.

      password sufficient /lib/security/$ISA/pam_unix.so use_authtok nullok shadow sha512 remember=5

   3. Save and close the VI editor.
8. Repeat the procedure for all remaining hosts in Region B.