Configuring SSHD to limit access to your deployment

How to configure SSHD in order to limit host access to your VMware deployment, or to change the SSHD cipher level.

About this task

The following instructions show how to configure SSHD in order to limit VMware access to a certain set of IP addresses, and how to change the SSHD cipher level.

Attention:
  • SSHD configuration settings are not included in the IBM® API Connect backups. However, the settings are kept when you upgrade to a new fix pack.
  • If you change the SSHD cipher level, and encounter issues with the new configuration, you must revert your cipher changes and retest. If after the retest with the original cipher level that came with IBM API Connect you still have issues, contact IBM Support.
  • If you open a support case (Problem Management Record, or PMR) with IBM, disclose any custom configurations in your environment, such as changes to the sshd_config file. These details help IBM support diagnose and resolve issues more effectively.

Procedure

  • The following instructions show you how to configure SSHD in order to limit VMware access to a certain set of IP addresses.
    1. Log in to the target virtual machine by using an SSH tool, and switch to the root user. For example, to log in to the Management subsystem, run the following commands: 
      ssh ip_address -l apicadm 
sudo -i
    2. Move to the following folder: 
      /etc/ssh/sshd_config.d
    3. Create a new configuration file with the extension .conf that contains the IP address of the host that you want to allow to access your deployment.
      For example, to create the file run the following command:
      vi filename.conf

      Then, edit the file by using the following format, which in this example is allowing users from IP address 123.135.1.2:

      AllowUsers *@123.135.1.2
      Additional hosts can be added by separating the IP address patterns with a space. For example:
      AllowUsers *@123.135.1.2 *@135.168.1.2
    4. Restart the SSHD service by running the following command: 
      systemctl restart sshd.service
  • The following instructions show you how to modify the cryptographic ciphers or algorithms in use by SSHD.
    1. Log in to the target virtual machine by using an SSH tool, and switch to the root user. For example, to log in to the Management subsystem, run the following commands: 
      ssh ip_address -l apicadm 
sudo -i
    2. Move to the following folder: 
      /etc/ssh/sshd_config.d
    3. Create a new configuration file with the extension .conf that contains the list of ciphers and algorithms that you want to support.
      For example, if you want to remove the 128 bit UMAC cipher from the following list of currently supported ciphers:
      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
      Create the .conf file by running the following command:
      vi filename.conf

      Then, remove that cipher from the list by adding the following line to the file:

      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
    4. Restart the SSHD service by running the following command: 
      systemctl restart sshd.service

Results

Your SSHD configuration is updated to limit access to your VMware to a certain set of IP addresses, or to change the cipher level.