Strengthen secure shell (SSH) protocol / security / communication between the nodes.
Note
-
SSH communication is secured by default when you upgrade the nodes to Platform Release 2022E and higher.
-
After you upgrade the MediaAgents in your HyperScale environment to 28.111 and later version, if you cannot SSH into the nodes with mRemoteNG due to the error: "Couldn't agree a client-to-server MAC", then follow the instructions in mRemoteNG documentation to update mRemoteNG PUTTY.
Before You Begin
Enable root access on the nodes if root access is disabled.
Procedure
-
Log on to any one of the nodes in the storage pool as root user.
-
Navigate to the following folder:
# cd /opt/commvault/MediaAgent
-
Run the following script:
# ./cvavahi.py secure_hs
Output similar to the following will be displayed:
INFO: Processing SSH configurations... INFO: Setting SSH cipher configurations... Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc INFO: Completed setting SSH cipher configurations successfully... INFO: Setting SSH MAC configurations... MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com INFO: Completed setting SSH MAC configurations successfully... INFO: Setting SSH KexAlgorithms configurations... INFO: Completed setting SSH Kex Algorithms configurations successfully... Removed symlink /etc/systemd/system/multi-user.target.wants/avahi-daemon.service. Removed symlink /etc/systemd/system/sockets.target.wants/avahi-daemon.socket. Removed symlink /etc/systemd/system/dbus-org.freedesktop.Avahi.service. Warning: Stopping avahi-daemon.service, but it can still be activated by: avahi-daemon.socket Removed symlink /etc/systemd/system/multi-user.target.wants/httpd.service. WARNING: Unable to update sysctl file. INFO: /etc/sysctl file updated successfully INFO: File permissions updated successfully Unable to find home directory for user[gluster] Unable to find home directory for user[insights] INFO: user home directories permission set successfully. INFO: umask set to 077 successfully... INFO: user umask set successfully to 077. INFO: Anonymous root login disabled. INFO: All security changes completed successfully
-
Repeat the above steps from all the nodes in the storage pool.
What to Do Next
Disable root access, if root access was previously disabled.