How to configure SSHD in order to limit host access to your VMware deployment, or to
change the SSHD cipher level.
About this task
The following instructions show how to configure SSHD in order to limit VMware access to a
certain set of IP addresses, and how to change the SSHD cipher level.
Attention:
- SSHD configuration settings are not included in the IBM®
API Connect backups. However, the
settings are kept when you upgrade to a new fix pack.
- If you change the SSHD cipher level, and encounter issues with the new configuration, you must
revert your cipher changes and retest. If after the retest with the original cipher level that came
with IBM
API Connect you still
have issues, contact IBM Support.
Procedure
- The following instructions show you how to configure SSHD in order to limit VMware access
to a certain set of IP addresses.
- Log in to the target virtual machine by using an SSH tool, and switch to the root
user. For example, to log in to the Management subsystem, run the following commands:
ssh ip_address -l apicadm
sudo -i
- Move to the following folder:
- Create a new configuration file with the extension .conf that
contains the IP address of the host that you want to allow to access your deployment.
For example, to create the file run the following
command:
vi filename.conf
Then, edit the file by using
the following format, which in this example is allowing users from IP address
123.135.1.2
:
AllowUsers *@123.135.1.2
Additional hosts can
be added by separating the IP address patterns with a space. For
example:
AllowUsers *@123.135.1.2 *@135.168.1.2
- Restart the SSHD service by running the following command:
systemctl restart sshd.service
- The following instructions show you how to modify the cryptographic ciphers or algorithms
in use by SSHD.
- Log in to the target virtual machine by using an SSH tool, and switch to the root
user. For example, to log in to the Management subsystem, run the following commands:
ssh ip_address -l apicadm
sudo -i
- Move to the following folder:
- Create a new configuration file with the extension .conf that
contains the list of ciphers and algorithms that you want to support.
For example, if
you want to remove the 128 bit UMAC cipher from the following list of currently supported
ciphers:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Create the
.conf file by running the following
command:
vi filename.conf
Then, remove that cipher from
the list by adding the following line to the
file:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
- Restart the SSHD service by running the following command:
systemctl restart sshd.service
Results
Your SSHD configuration is updated to limit access to your VMware to a certain set of IP
addresses, or to change the cipher level.