As a security best practice, create and configure local administrative accounts for Secure Shell (SSH) on your virtual appliance host machines. Also, remove root SSH access after you create the appropriate accounts.
Create local administrative accounts for SSH, or members of the secondary wheel group, or both. Before you disable direct root access, test that authorized administrators can access SSH by using AllowGroups, and that they can su to root using the wheel group.
- Log in to the virtual appliance as root and run the following commands with the appropriate username.
# useradd -g users <username> -G wheel -m -d /home/username # passwd username
Wheel is the group specified in AllowGroups for ssh access. To add multiple secondary groups, use
- Switch to the user and provide a new password to enforce password complexity checking.
# su –username # username@hostname:~>passwd
If the password complexity is met, the password updates. If the password complexity is not met, the password reverts to the original password, and you must rerun the password command.
- To remove direct login to SSH, modify the/etc/ssh/sshd_config file by replacing
Alternatively, you can enable/disable SSH in the Virtual Appliance Management Interface (VAMI) by selecting or deselecting the Administrator SSH login enabled check box on the Admin tab.
What to do next
Disable direct logins as root. By default, the hardened appliances allow direct login to root through the console. After you create administrative accounts for non-repudiation and test them for su-root wheel access, disable direct root logins by editing the /etc/security file as root and replacing the
tty1 entry with
Open the /etc/securetty file in a text editor.
tty1and replace it with
Save the file and close it.