Where possible, the Virtual Application Installation (OVF) has a default hardened configuration. Users can verify that their configuration is appropriately hardened by examining the server and client service in the global options section of the configuration file.
Procedure
- Open the /etc/ssh/sshd_config server configuration file and verify that the settings are correct.
Setting Status Server Daemon Protocol Protocol 2 Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr TCP Forwarding AllowTCPForwarding no Server Gateway Ports Gateway Ports no X11 Forwarding X11Forwarding no SSH Service Use the AllowGroups field and specify a group permitted to access and add members to the secondary group for users permitted to use the service. GSSAPI Authentication GSSAPIAuthentication no, if unused Kerberos Authentication KerberosAuthentication no, if unused Local Variables (AcceptEnv global option) Set to disabled by commenting out or enabled for only LC_* or LANG variables Tunnel Configuration PermitTunnel no Network Sessions MaxSessions 1 Strict Mode Checking Strict Modes yes Privilege Separation UsePrivilegeSeparation yes rhosts RSA Authentication RhostsRSAAuthentication no Compression Compression delayed or Compression no Message Authentication code [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-sha1 User Access Restriction PermitUserEnvironment no KexAlgorithms diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 - Ensure that the ListenAddress line is uncommented and set to a valid local IP.
For example, ListenAddress 0.0.0.0
Replace 0.0.0.0 with the IP address of the vRealize Operations node.
For example, ListenAddress 192.168.168.10
- Save your changes and close the file. At the command line, execute the following command to apply the changed settings:
# systemctl restart sshd.service