Address Manager servers contain a script for Address Manager SSH hardening that can be
accessed by root users from the console. Address Manager v9.5.0 introduced the
harden_ssh.sh script to disable the use of legacy or less preferred MAC, key
exchange, and host key algorithms, and restrict accepted ciphers (level 1). In Address
Manager v26.1.0, this harden_ssh.sh script has been enhanced to support an
additional level of SSH hardening, with stricter algorithm and cipher restrictions (level
2). The harden_ssh.sh script is also available on DNS/DHCP Servers, for
more information refer to DNS/DHCP Server SSH hardening.
Attention: The hardening script must be run manually on all Address Manager servers
that users wish to harden SSH on. SSH is not hardened by default.
Attention: For Address Manager servers in trust relationships, SSH hardening must be
performed as described below on each Address Manager server individually. All Address
Manager servers in the trust relationship must be manually hardened, as trust relationships
will not work with a mixture of hardened and non-hardened servers.
SSH hardening
SSH hardening levelsLevel 1 hardening disables the use of the following algorithm sets:
- MACs:
hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,umac-64-etm@openssh.com,umac-64@openssh.com - Key exchange algorithms:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 - Host key algorithms:
ecdsa-sha2-nistp256,ssh-rsa
- Ciphers:
aes128-ctr,aes192-ctr,aes256-ctr
Level 2 hardening disables the use of the following algorithm sets:
- MACs:
hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,umac-64-etm@openssh.com,umac-64@openssh.com,umac-128-etm@openssh.com - Key exchange algorithms:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1(same as level 1) - Host key algorithms:
ecdsa-sha2-nistp256,ssh-rsa(same as level 1)
- Ciphers:
chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
To harden SSH on an Address Manager server:
- Login to the Address Manager server Administration Console as root.Note: For more information on root credentials, refer to Setting the root password.
- Locate the
harden_ssh.shscript. The script is found in the following location on Address Manager server appliances:/usr/local/bluecat/harden_ssh.sh -
From the
/usr/local/bluecatfolder, run./harden_ssh.sh 1to apply level 1 SSH hardening, or run./harden_ssh.sh 2to apply level 2 SSH hardening.$ ./harden_ssh.sh [1|2] *** WARNING *** Running this script results in a restart of the SSH daemon. Any active SSH connections will be terminated! Reconnect via SSH after completion of this script to verify that the contents of the following files are uncommented: - /etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf - /etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf Do you want to proceed? (y/n)Warning: Running the script will terminate all active SSH sessions.Enteryto run the script. If you are connected remotely via SSH, your session will terminate. - If you were connected via SSH, re-establish connection to the Address Manager server.
Verify that the configuration entries in the following files are uncommented (active):
/etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf /etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf
Weakening SSH (reverting Hardened SSH changes)
The SSH hardening changes
can be easily reversed by performing the process detailed above with the
weaken_ssh.sh script. The script is found in the following location on
Address Manager server appliances:/usr/local/bluecat/weaken_ssh.shy to run the script, re-establish connection to the console if necessary,
then verify that the configuration entries in the following files are commented out
(inactive):/etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf
/etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf