NVE: How to Allow root SSH Access On a NetWorker Virtual Edition
Resumen: This KB provides instructions on how to enable direct root access to a NetWorker Virtual Edition (NVE) appliance. Similar instructions can be found in the NetWorker Virtual Edition Deployment Guide. ...
Instrucciones
By default, you cannot use SSH to log in to the NVE appliance with the root account. This is intended as a security measure to prevent unauthorized root access. You must connect using the admin account and then `sudo su -` to log in as root. If the root and admin credentials differ, it would not be possible to breach the root account unless both account passwords are known. NVE direct root access is possible through a console connection (for example: VMware Web Console Connection). NVE administrators can allow direct root SSH access, but must do so at their own discretion.
Copying logs directly off the NVE with a Secure Copy Protocol (SCP) agent is easier with the root account, but you can also use the admin account. You must place the files in a directory the admin user has access to (for example: /space or /tmp). Ensure that the files have read access for the admin user:
sudo chmod 744 /path/to/file
- NetWorker (Linux): How to copy files to/from a Linux NetWorker server.
- NVE: Upgrade or Install Failure Triage Guide
- NVE: How to change OS passwords
You can enable root SSH access using one of two methods:
1. Enable global root SSH access. This allows root SSH access from any network.
2. Enable "restricted" (match address) root SSH access. This allows root SSH access only from specified IP addresses or networks.
sshd configuration file to improve security. Direct root SSH access may be revoked after performing an OS security rollup. In which case, the settings outlined in this KB must be reapplied.
Global Access:
1. SSH to the NVE as admin, then switch to root:
sudo su -
2. Using vi edit the /etc/ssh/sshd_config file.
vi /etc/ssh/sshd_config
3. Look for the line PermitRootLogin line.
PermitRootLogin no to PermitRootLogin yes.
PermitRootLogin yes
Match Address ::1,127.0.0.1,127.0.0.1,::1,192.168.9.101,fe80::250:56ff:fea5:80ff
PermitRootLogin yes
Match all
4. Save the file:
Hit [ESC] then enter :wq!
5. Restart the sshd service:
systemctl restart sshd
You can now log in as root during NVE SSH access.
Restricted IP/network SSH Access:
1. SSH to the NVE as admin, then switch to root:
sudo su -
2. Using vi edit the /etc/ssh/sshd_config file.
vi /etc/ssh/sshd_config
3. Look for the line Match Address line, near the end of the file.
4. Update the Match Address line to include a specific IP or network IP/Subnet address.
Example:
PermitRootLogin no
Match Address ::1,127.0.0.1,127.0.0.1,::1,192.168.9.101,fe80::250:56ff:fea5:80ff,192.168.9.0/24
PermitRootLogin yes
Only systems on the 192.168.9.0 network have root SSH access. Root SSH access from other networks to the NVE are denied. Similarly you can specify single IP addresses instead of a network address.
5. Save the file:
Hit [ESC] then enter :wq!
6. Restart the sshd service:
systemctl restart sshd
You can now log in as root during NVE SSH access, but only from the addresses or networks specified.
See the NetWorker Virtual Edition Deployment Guide for additional instructions.