Remove SHA1 from SSH service in VMware Aria Operations 8.12 and later
Article ID: 339374
Updated On:
Products
VMware Aria Suite
Issue/Introduction
To meet with security policies, the SHA1 algorithm can be safely removed from the SSH service in VMware Aria Operations.
Environment
VMware Aria Operations 8.14.x
VMware Aria Operations 8.12.x
VMware Aria Operations 8.12.x
Resolution
To remove the SHA1 based algorithms and SSH-RSA based keys usage from the SSH service, follow the steps below for your version of VMware Aria Operations.
Quick Links:
VMware Aria Operations 8.12.x
VMware Aria Operations 8.14.x
Quick Links:
VMware Aria Operations 8.12.x
VMware Aria Operations 8.14.x
VMware Aria Operations 8.12.x
- Log into the Primary node as root via SSH or Console.
- Run the following command to backup the /etc/ssh/sshd_config file:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
- Run the following command to open /etc/ssh/sshd_config in a text editor:
vi /etc/ssh/sshd_config
- Press i to enter insert mode.
- Find the KexAlgorithms line and modify it to match the following:
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
- At the end of the file, add the following lines:
PubkeyAcceptedKeyTypes -ssh-rsa,[email protected]
HostKeyAlgorithms -ssh-rsa,[email protected]
HostbasedAcceptedKeyTypes -ssh-rsa,[email protected]
HostKeyAlgorithms -ssh-rsa,[email protected]
HostbasedAcceptedKeyTypes -ssh-rsa,[email protected]
- Press Esc, then type :wq and press Enter to save and close the file.
- Run the following command to restart the sshd service:
systemctl restart sshd
- Repeats steps 1-8 on all other VMware Aria Operations nodes.
VMware Aria Operations 8.14.x
- Log into the Primary node as root via SSH or Console.
- Run the following command to backup the /etc/ssh/sshd_config file:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
- Run the following command to open /etc/ssh/sshd_config in a text editor:
vi /etc/ssh/sshd_config
- Press i to enter insert mode.
- Find the KexAlgorithms line and modify it to match the following:
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
- Press Esc, then type :wq and press Enter to save and close the file.
- Run the following command to restart the sshd service:
systemctl restart sshd
- Repeats steps 1-7 on all other VMware Aria Operations nodes.
Additional Information
To revert the steps and restore SHA1 to the SSH service, complete the following:
- Log into the Primary node as root via SSH or Console.
- Run the following command to restore the backed up sshd_config file:
cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
- Run the following command to restart the sshd service:
systemctl restart sshd
- Repeats steps 1-3 on all other VMware Aria Operations nodes.
Feedback
Yes
No
Powered by
