Remove SHA1 from SSH service in VMware Aria Operations for Logs 8.12.x and 8.14.x
Article ID: 312257
Updated On:
Products
VMware Aria Suite
Issue/Introduction
To meet with security policies, the SHA1 algorithm can be safely removed from the SSH service in VMware Aria Operations for Logs.
Note: VMware Aria Operations for Logs 8.14 and later do not use SHA1 by default. Only if VMware Aria Operations for Logs 8.14 was upgraded from older versions, there can be SHA1 usage.
Note: VMware Aria Operations for Logs 8.14 and later do not use SHA1 by default. Only if VMware Aria Operations for Logs 8.14 was upgraded from older versions, there can be SHA1 usage.
Environment
VMware Aria Operations for Logs 8.12.x
VMware Aria Operations for Logs 8.14.x
VMware Aria Operations for Logs 8.14.x
Resolution
To remove the SHA1 based algorithms and SSH-RSA based keys usage from the SSH service, follow the steps below for VMware Aria Operations for Logs
Quick Links:
VMware Aria Operations for logs 8.12.x
VMware Aria Operations for logs 8.14.x
Quick Links:
VMware Aria Operations for logs 8.12.x
VMware Aria Operations for logs 8.14.x
VMware Aria Operations for logs 8.12.x
- Log into the Primary node as root via SSH or Console.
- Run the following command to backup the /etc/ssh/sshd_config file:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
- Run the following command to open /etc/ssh/sshd_config in a text editor:
vi /etc/ssh/sshd_config
- Press i to enter insert mode.
- Find the KexAlgorithms line and modify it to match the following:
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
Note: If the line does not exist, add it manually to the end of the file
Note: If the line does not exist, add it manually to the end of the file
- Find the MACs line and modify it to match the following:
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
- At the end of the file, add the following lines:
PubkeyAcceptedKeyTypes -ssh-rsa,[email protected]
HostKeyAlgorithms -ssh-rsa,[email protected]
HostbasedAcceptedKeyTypes -ssh-rsa,[email protected]
HostKeyAlgorithms -ssh-rsa,[email protected]
HostbasedAcceptedKeyTypes -ssh-rsa,[email protected]
- Press Esc, then type :wq and press Enter to save and close the file.
- Run the following command to restart the sshd service:
systemctl restart sshd
- Repeats steps 1-9 on all other VMware Aria Operations for Logs nodes.
VMware Aria Operations for logs 8.14.x
- Log into the Primary node as root via SSH or Console.
- Run the following command to backup the /etc/ssh/sshd_config file:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
- Run the following command to open /etc/ssh/sshd_config in a text editor:
vi /etc/ssh/sshd_config
- Press i to enter insert mode.
- Find the MACs line and modify it to match the following:
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
- At the end of the file, add the following line:
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
- Press Esc, then type :wq and press Enter to save and close the file.
- Run the following command to restart the sshd service:
systemctl restart sshd
- Repeats steps 1-8 on all other VMware Aria Operations for Logs nodes.
Additional Information
To revert the steps and restore SHA1 to the SSH service, complete the following:
- Log into the Primary node as root via SSH or Console.
- Run the following command to restore the backed up sshd_config file:
cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
- Run the following command to restart the sshd service:
systemctl restart sshd
- Repeats steps 1-3 on all other VMware Aria Operations for Logs nodes.
Feedback
Yes
No
Powered by
