Starting in Address Manager v9.5.0, a script has been added to Address Manager servers for hardening of the SSH service. Running the hardening script will prevent the use of weak algorithms by removing them from the SSH client and daemon configurations.
ed25519) between all Address Manager servers in the trust relationship.
For more information on refreshing the SSH keys in a trust relationship, refer to Refreshing Address Manager keys in a trust relationship. After refreshing the keys, perform SSH hardening as described
below on each Address Manager server individually. All Address Manager servers in the
trust relationship must be manually hardened, as trust relationships will not work with a
mixture of hardened and non-hardened servers.
To harden SSH on an Address Manager server:
- Login to the Address Manager server Administration Console as root.Note: For more information on root credentials, refer to Setting the root password.
- Locate the
harden_ssh.shscript. The script is found in the following location on Address Manager server appliances:
- The console will prompt the user with a warning.
$ ./harden_ssh.sh *** WARNING *** Running this script results in a restart of the SSH daemon. Any active SSH connections will be terminated! Reconnect via SSH after completion of this script to verify that the contents of the following files are uncommented: - /etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf - /etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf Do you want to proceed? (y/n)Warning: Running the script will terminate all active SSH sessions.Enter
yto run the script. If you are connected remotely via SSH, your session will terminate.
- If you were connected via SSH, re-establish connection to the Address Manager server.
Verify that the contents of the following files are not commented out:
Weakening SSH (reverting Hardened SSH changes)
weaken_ssh.sh script. The script is found in the following location
on Address Manager server appliances:
the same manner as above, you will be prompted with a warning before proceeding. Enter
y to run the script, re-establish connection to the console if necessary,
then verify that the content of the following files are commented out: