Strengthening SSH Communication Between HyperScale Nodes

Strengthen secure shell (SSH) protocol / security / communication between the nodes.

Note

  • SSH communication is secured by default when you upgrade the nodes to Platform Release 2022E and higher.

  • After you upgrade the MediaAgents in your HyperScale environment to 28.111 and later version, if you cannot SSH into the nodes with mRemoteNG due to the error: "Couldn't agree a client-to-server MAC", then follow the instructions in mRemoteNG documentation to update mRemoteNG PUTTY.

Before You Begin

Enable root access on the nodes if root access is disabled.

Procedure

  1. Log on to any one of the nodes in the storage pool as root user.

  2. Navigate to the following folder:

    # cd /opt/commvault/MediaAgent
  3. Run the following script:

    # ./cvavahi.py secure_hs

    Output similar to the following will be displayed:

    INFO: Processing SSH configurations...
    INFO: Setting SSH cipher configurations...
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
    INFO: Completed setting SSH cipher configurations successfully...
    INFO: Setting SSH MAC configurations...
    MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
    INFO: Completed setting SSH MAC configurations successfully...
    INFO: Setting SSH KexAlgorithms configurations...
    INFO: Completed setting SSH Kex Algorithms configurations successfully...
    Removed symlink /etc/systemd/system/multi-user.target.wants/avahi-daemon.service.
    Removed symlink /etc/systemd/system/sockets.target.wants/avahi-daemon.socket.
    Removed symlink /etc/systemd/system/dbus-org.freedesktop.Avahi.service.
    Warning: Stopping avahi-daemon.service, but it can still be activated by:
      avahi-daemon.socket
    Removed symlink /etc/systemd/system/multi-user.target.wants/httpd.service.
    WARNING: Unable to update sysctl file.
    INFO: /etc/sysctl file updated successfully
    INFO: File permissions updated successfully
    Unable to find home directory for user[gluster]
    Unable to find home directory for user[insights]
    INFO: user home directories permission set successfully.
    INFO: umask set to 077 successfully...
    INFO: user umask set successfully to 077.
    INFO: Anonymous root login disabled.
    INFO: All security changes completed successfully
  4. Repeat the above steps from all the nodes in the storage pool.

What to Do Next

Disable root access, if root access was previously disabled.

Securing HyperScale X Nodes

Loading...