Configuring the SSH service

By default, the SSH service is disabled. When enabled, the SSH service binds to the defined local IP-address-port combination.

Without an explicit local address, the SSH service attempts to bind to the management Ethernet interface. If the management Ethernet interface is not defined, the SSH service binds to all configured interfaces.

Be sure to define an explicit IP address to isolate management traffic from application data traffic.

If any of the Ethernet interfaces on the appliance are connected to the internet, or a similar open access network, you might want to prevent access to the SSH service from those interfaces. By restricting the Ethernet interface that can be used to access the SSH service, you can ensure that the service can be accessed only from an internal network. This restriction makes your environment more secure.

You can also fine tune the ciphers that are used by the SSH service, and the order that they are used in.

Establishing an SSH session

You can configure SSH authentication to use user certificates, or user passwords. See SSH authentication for CLI sessions. If you specify the Password method, the user specifies their user name as part of invoking SSH. They are then prompted for their password. If you specify the certificate method, the user is not prompted for any input, authentication uses a CA-signed user certificate. You can also specify the certificate and password options together, so that if the user does not have a valid certificate, they can enter a password.

Establishing an SSH session - legacy behavior

If you do not explicitly set up the method of SSH authentication for CLI sessions (see SSH authentication for CLI sessions) then the legacy behavior remains. Under the legacy behavior, the user establishes the SSH connection then specifies both username and password.

Using the legacy method, the IBM® MQ Appliance requires an interactive process to protect credentials during the SSL handshake. The IBM MQ Appliance initiates a secure channel and provides for an encrypted login process.

As a side-effect of the initial connection, and depending on your SSH client, you might see the extraneous "login as:" prompt. To bypass, press Enter.

The screen shows a warning about unauthorized access and the prompt for the login credentials:

login as:
Unauthorized access prohibited.
login: