Starting in Address Manager v9.5.0, a script has been added to Address Manager servers for hardening of the SSH service. Running the hardening script will prevent the use of weak algorithms by removing them from the SSH client and daemon configurations.
Attention: The script must be run manually on all v9.5.0 Address Manager servers
that users wish to harden SSH on. SSH is not hardened by default for new v9.5.0 servers
or servers upgraded to v9.5.0.
Attention: When creating trust relationships, Address Manager v9.4.x servers and
earlier use SSH algorithms that are no longer valid with hardened SSH enabled. For servers
that have been upgraded to v9.5.0 while maintaining an established trust relationship, you
must refresh the SSH keys in the trust relationship before running the SSH hardening
script. This will generate and transfer new keys that are valid with hardened SSH
(
ed25519
) between all Address Manager servers in the trust relationship.
For more information on refreshing the SSH keys in a trust relationship, refer to Refreshing Address Manager keys in a trust relationship. After refreshing the keys, perform SSH hardening as described
below on each Address Manager server individually. All Address Manager servers in the
trust relationship must be manually hardened, as trust relationships will not work with a
mixture of hardened and non-hardened servers.To harden SSH on an Address Manager server:
- Login to the Address Manager server Administration Console as root.Note: For more information on root credentials, refer to Setting the root password.
- Locate the
harden_ssh.sh
script. The script is found in the following location on Address Manager server appliances:/usr/local/bluecat/harden_ssh.sh
- The console will prompt the user with a warning.
$ ./harden_ssh.sh *** WARNING *** Running this script results in a restart of the SSH daemon. Any active SSH connections will be terminated! Reconnect via SSH after completion of this script to verify that the contents of the following files are uncommented: - /etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf - /etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf Do you want to proceed? (y/n)
Warning: Running the script will terminate all active SSH sessions.Entery
to run the script. If you are connected remotely via SSH, your session will terminate. - If you were connected via SSH, re-establish connection to the Address Manager server.
Verify that the contents of the following files are not commented out:
/etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf /etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf
Weakening SSH (reverting Hardened SSH changes)
The SSH hardening changes can be easily reversed by performing the process detailed above
with the
weaken_ssh.sh
script. The script is found in the following location
on Address Manager server appliances:/usr/local/bluecat/weaken_ssh.sh
In
the same manner as above, you will be prompted with a warning before proceeding. Enter
y
to run the script, re-establish connection to the console if necessary,
then verify that the content of the following files are commented out:
/etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf
/etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf