For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. Use SSH only when necessary and manage it appropriately to preserve system security.
SSH is an interactive command-line environment that supports remote connections to VMware virtual appliances. By default, SSH access requires high-privileged user account credentials. Root user SSH activities generally bypass the role-based access control (RBAC) and audit controls of the virtual appliances.
As a best practice, disable SSH in a production environment, and activate it only to troubleshoot problems that you cannot resolve by other means. Leave it enabled only while needed for a specific purpose and in accordance with your organization's security policies. SSH is disabled by default on the vRealize Automation appliance. Depending on your vSphere configuration, you might enable or disable SSH when you deploy your Open Virtualization Format (OVF) template.
As a simple test to determine whether SSH is enabled on a machine, try opening a connection by using SSH. If the connection opens and requests credentials, then SSH is enabled and available for connections.
Secure Shell root User Account
Because VMware appliances do not include pre-configured user accounts, the root account can use SSH to directly log in by default. Disable SSH as root as soon as possible.
To meet the compliance standards for non repudiation, the SSH server on all hardened appliances is pre-configured with the AllowGroups wheel entry to restrict SSH access to the secondary group wheel. For separation of duties, you can modify the AllowGroups wheel entry in the /etc/ssh/sshd_config file to use another group such as sshd.
The wheel group is enabled with the
pam_wheel module for superuser access, so members of the wheel group can su-root, where the root password is required. Group separation enables users to SSH to the appliance, but not to su to root. Do not remove or modify other entries in the AllowGroups field, which ensures proper appliance functionality. After making a change, you must restart the SSH daemon by running the command:
# service sshd restart.