CCE Orchestration Windows OpenSSH Hardening
Cloud Connect server establishes a password-less Secure Shell (SSH) connection to Windows nodes (ICM and CVP) for Orchestration. This section describes the OpenSSH hardening for CCE Orchestration.
Make the following configuration changes in the OpenSSH service daemon configuration file that is located at %programdata%\ssh\sshd_config on Windows nodes and restart the OpenSSH services. See the Orchestration section in the CCE Install and Upgrade Guide for details on the OpenSSH services.
Settings |
Compliance Configuration |
Description |
||||
---|---|---|---|---|---|---|
Restrict SSH connection |
|
AllowUsers in sshd_config ensures that only the Cloud Connect server host can connect through the SSH to Windows user.
|
||||
Enable DNS hostname check |
|
Setting this flag to 'Yes' ensures that the server validates the hostname or IP address combination of the client (Cloud Connect server) that is connecting to it against the DNS server. |
||||
Set the maximum number of authentication attempts |
|
Recommended MaxAuthTries is 3. |
||||
Encryption Cipher |
HostKey |
By default, RSA is used as the default cipher while establishing SSH connection between Cloud Connect server and Windows node. You can choose Cipher such as ECDSA. Uncomment the ECDSA and comment out RSA.
|
||||
Common Vulnerability and Exposures (CVE-2023-48795) for OpenSSH |
Use the following set of strong ciphers and MACs in the
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 Below vulnerable ciphers can be disabled (either removed or commented) if the ciphers are present in the %programdata%\ssh\sshd_config file: chacha20-poly1305@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com If these ciphers do not exist in the |
By default, OpenSSH services are enabled for ICM and CVP nodes. Hence, the following OpenSSH versions that are packaged with ICM and CVP are marked as affected versions:
If the ciphers are not present in the |
Restricting Access to OpenSSH sshd_config
Initially, appropriate user-based permissions have been configured for sshd_config during the installation of OpenSSH via the installation of CVP or ICM mandatory ES used for onboarding the Windows nodes to Cloud Connect for Orchestration.
In case if the platform Orchestration administrator user is changed by the administrator, then the permissions must be set to restrict access to OpenSSH sshd_config for the new user. To restrict the access to OpenSSH sshd_config perform the following steps:
Procedure
Step 1 |
Log in to Windows node (CVP or ICM) with new platform Orchestration administrator user. |
Step 2 |
Launch PowerShell in administrator mode. |
Step 3 |
Navigate to the default installation directory of OpenSSH (for example: C:\icm\install\OpenSSH-Win64 in case of ICM). |
Step 4 |
Run the command Import-Module .\OpenSSHUtils.psd1 -Force. |
Step 5 |
Run the command Repair-SshdConfigPermission -FilePath C:\ProgramData\ssh\sshd_config. |
Step 6 |
Press the Enter key to select the default option "Y" for queries on inheritance and access restriction. |
Step 7 |
Restart the OpenSSH services. See the Orchestration section in CCE Install and Upgrade Guide for details on the OpenSSH services. |
Step 8 |
Run the command utils deployment test-connection in Cloud Connect CLI, from both publisher and subscriber against this particular Windows node. This is to make sure the Cloud Connect server is able to establish password-less Secure Shell (SSH) connection to Windows nodes (ICM and CVP) for Orchestration. |