As a security best practice, create and configure local administrative accounts for Secure Shell (SSH) on your virtual appliance host machines. Also, remove root SSH access after you create the appropriate accounts.

About this task

Create local administrative accounts for SSH, or members of the secondary wheel group, or both. Before you disable direct root access, test that authorized administrators can access SSH by using AllowGroups, and that they can su to root using the wheel group.

Procedure

  1. Log in to the virtual appliance as root and run the following commands with the appropriate username.
    # useradd -g users <username> -G wheel -m -d /home/username 
    			 # passwd username

    Wheel is the group specified in AllowGroups for ssh access. To add multiple secondary groups, use -G wheel,sshd.

  2. Switch to the user and provide a new password to enforce password complexity checking.
    # su –username 
    	# username@hostname:~>passwd 
    				

    If the password complexity is met, the password updates. If the password complexity is not met, the password reverts to the original password, and you must rerun the password command.

  3. To remove direct login to SSH, modify the/etc/ssh/sshd_config file by replacing (#)PermitRootLogin yes with PermitRootLogin no.

    Alternatively, you can enable/disable SSH in the Virtual Appliance Management Interface (VAMI) by selecting or deselecting the Administrator SSH login enabled check box on the Admin tab.

What to do next

Disable direct logins as root. By default, the hardened appliances allow direct login to root through the console. After you create administrative accounts for non-repudiation and test them for su-root wheel access, disable direct root logins by editing the /etc/security file as root and replacing the tty1 entry with console.

  1. Open the /etc/securetty file in a text editor.

  2. Locate tty1 and replace it with console.

  3. Save the file and close it.