[SOLVED] Hardening SSH

[Dragao]

Hi All,

I am trying to harden SSH as a requirement within our company.
but as I disable password login and only allow login with ssh key and disallow root to login via ssh, it seems to be breaking the communication/synchronisation between pve nodes.

Example1: when login into the cluser I can open the _Shell from only the node I am connected to. When I try to open _Shell for the other not I get a permission (public-key) denied

Example2: I have setup OTP on my account this works on 1 node but not on the other (it does ask for OTP but is not accepted)

Now with allowing password login and allowing root both examples work with no problem.

Could someone shine some light on this?

Maybe suggest some other hardening?
(Firewall is active and only allowing a few IPs)

Many thanks

 

[czechsys]

PVE require root via ssh for cluster function.

 

[Blonov]

This may help.

Phil

 

[asche]

you can limit root access to a list of IPs (your pve nodes) in your sshd config

PermitRootLogin no

Match Address 192.168.1.10,192.168.1.11,192.168.1.12
    PermitRootLogin yes

 

[Dragao]

you can limit root access to a list of IPs (your pve nodes) in your sshd config

PermitRootLogin no

Match Address 192.168.1.10,192.168.1.11,192.168.1.12
    PermitRootLogin yes

I like this idea.
Does this have impact on the _shell from the webgui ? (I notice that connection are made to 127.0.0.1)

 

[asche]

I like this idea.
Does this have impact on the _shell from the webgui ? (I notice that connection are made to 127.0.0.1)

i don't think so. the web shell is maybe not using ssh.
test and report your experience

 

[Dragao]

i don't think so. the web shell is maybe not using ssh.
test and report your experience

Well as far as I can see this solution is perfect!
I have implemented this and see no problems thusfar

many thanks!