Hardening SSH - BlueCat Integrity - 9.5.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.5.0

Starting in Address Manager v9.5.0, a script has been added to Address Manager servers for hardening of the SSH service. Running the hardening script will prevent the use of weak algorithms by removing them from the SSH client and daemon configurations.

Attention: The script must be run manually on all v9.5.0 Address Manager servers that users wish to harden SSH on. SSH is not hardened by default for new v9.5.0 servers or servers upgraded to v9.5.0.
Attention: When creating trust relationships, Address Manager v9.4.x servers and earlier use SSH algorithms that are no longer valid with hardened SSH enabled. For servers that have been upgraded to v9.5.0 while maintaining an established trust relationship, you must refresh the SSH keys in the trust relationship before running the SSH hardening script. This will generate and transfer new keys that are valid with hardened SSH (ed25519) between all Address Manager servers in the trust relationship. For more information on refreshing the SSH keys in a trust relationship, refer to Refreshing Address Manager keys in a trust relationship. After refreshing the keys, perform SSH hardening as described below on each Address Manager server individually. All Address Manager servers in the trust relationship must be manually hardened, as trust relationships will not work with a mixture of hardened and non-hardened servers.

To harden SSH on an Address Manager server:

  1. Login to the Address Manager server Administration Console as root.
    Note: For more information on root credentials, refer to Setting the root password.
  2. Locate the harden_ssh.sh script. The script is found in the following location on Address Manager server appliances:
    /usr/local/bluecat/harden_ssh.sh
  3. The console will prompt the user with a warning.
    $ ./harden_ssh.sh
    
    *** WARNING ***
    Running this script results in a restart of the SSH daemon.
    Any active SSH connections will be terminated!
    
    Reconnect via SSH after completion of this script to verify
    that the contents of the following files are uncommented:
    - /etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf
    - /etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf
    
    Do you want to proceed? (y/n)          
    Warning: Running the script will terminate all active SSH sessions.
    Enter y to run the script. If you are connected remotely via SSH, your session will terminate.

  4. If you were connected via SSH, re-establish connection to the Address Manager server. Verify that the contents of the following files are not commented out:
    /etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf
    /etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf

Weakening SSH (reverting Hardened SSH changes)

The SSH hardening changes can be easily reversed by performing the process detailed above with the weaken_ssh.sh script. The script is found in the following location on Address Manager server appliances:
/usr/local/bluecat/weaken_ssh.sh
In the same manner as above, you will be prompted with a warning before proceeding. Enter y to run the script, re-establish connection to the console if necessary, then verify that the content of the following files are commented out:
/etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf
/etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf