Remove SHA1 from SSH service in VMware Aria Operations 8.12 and later
search cancel

Remove SHA1 from SSH service in VMware Aria Operations 8.12 and later

book

Article ID: 339374

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

To meet with security policies, the SHA1 algorithm can be safely removed from the SSH service in VMware Aria Operations.

When trying to start SSH service fails with an error : Failed to start OpenSSH Daemon

Error message shows  Bad SSH2 mac spec '[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,#hmac-sha1,#[email protected]'

Environment

VMware Aria Operations 8.12.x and Later

Resolution

To remove the SHA1 based algorithms and SSH-RSA based keys usage from the SSH service, follow the steps below for your version of VMware Aria Operations.

Quick Links:
VMware Aria Operations 8.12.x
VMware Aria Operations 8.14.x
VMware Aria Operations 8.17.x
 

VMware Aria Operations 8.12.x

  1. Log into the Primary node as root via SSH or Console.
  2. Run the following command to backup the /etc/ssh/sshd_config file:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
  1. Run the following command to open /etc/ssh/sshd_config in a text editor:
vi /etc/ssh/sshd_config
  1. Press i to enter insert mode.
  2. Find the KexAlgorithms line and modify it to match the following:
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
  1. At the end of the file, add the following lines:
PubkeyAcceptedKeyTypes -ssh-rsa,[email protected]
HostKeyAlgorithms -ssh-rsa,[email protected]
HostbasedAcceptedKeyTypes -ssh-rsa,[email protected]
  1. Press Esc, then type :wq and press Enter to save and close the file.
  2. Run the following command to restart the sshd service:
systemctl restart sshd
  1. Repeats steps 1-8 on all other VMware Aria Operations nodes.

 

 

VMware Aria Operations 8.14.x

  1. Log into the Primary node as root via SSH or Console.
  2. Run the following command to backup the /etc/ssh/sshd_config file:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
  1. Run the following command to open /etc/ssh/sshd_config in a text editor:
vi /etc/ssh/sshd_config
  1. Press i to enter insert mode.
  2. Find the KexAlgorithms line and modify it to match the following:
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
  1. Press Esc, then type :wq and press Enter to save and close the file.
  2. Run the following command to restart the sshd service:
systemctl restart sshd
  1. Repeats steps 1-7 on all other VMware Aria Operations nodes.

 

VMware Aria Operations 8.17.x

  1. Log into the Primary node as root via SSH or Console.
  2. Run the following command to backup the /etc/ssh/sshd_config file:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
 

     3.Run the following command to open /etc/ssh/sshd_config in a text editor:

vi /etc/ssh/sshd_config
 

     4.Press i to enter insert mode.

     5.Find the MACs line and modify it to match the following:

    MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
 

     6.Press Esc, then type :wq and press Enter to save and close the file.

     7.Run the following command to restart the sshd service:

systemctl restart sshd
 

     8.Repeats steps 1-7 on all other VMware Aria Operations nodes.

Additional Information

To revert the steps and restore SHA1 to the SSH service, complete the following:
  1. Log into the Primary node as root via SSH or Console.
  2. Run the following command to restore the backed up sshd_config file:
cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
  1. Run the following command to restart the sshd service:
systemctl restart sshd
  1. Repeats steps 1-3 on all other VMware Aria Operations nodes.