Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Modifying the sshd Configuration File
Scenarios
The sshd configuration file /etc/ssh/sshd_config is open to users. To prevent the modified configuration from being overwritten during the upgrade, the original sshd configuration file is not replaced after the firmware upgrade. You need to manually modify the configuration to harden the security of the sshd service.
- If the factory version is 20.0.1.030 or later, some insecure algorithms are deleted from the sshd configuration file. You do not need to manually modify them.
- If the factory version is earlier than 20.0.1.030, you are advised to manually modify the configuration to harden the security of the sshd service.
Procedure
- Log in to the IES CLI.
- Use SSH to log in to the IES CLI.
- Enter the user name and password.
- Default username: admin
- Default password: Huawei12#$
For details, see Logging In Over a Network Port by Using PuTTY.
- Switch to the develop mode.
- Run the following command to obtain the permissions of user root.
develop
Information similar to the following is displayed:
IES:/->develop input root passwd Password: Last login: Tue Jun 4 15:38:59 UTC 2019 on pts/0 Euler:~ #
- Enter the password of user root as prompted.
Default password: Huawei@SYS3
- Run the following command to obtain the permissions of user root.
- Run the following command to back up the /etc/ssh/sshd_config file:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
- Modify the configuration items in the /etc/ssh/sshd_config file.
- Use the Linux text editor to open the sshd configuration file.
Run the following command to open the sshd configuration file /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
- Change the values of the following configuration items:
ClientAliveInterval 300 ClientAliveCountMax 0 HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512 PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512 HostbasedAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512 MACs hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com Subsystem sftp internal-sftp -l INFO -u 0077
If the configuration file does not contain the preceding configuration items, add them to the end of the file.
- Run the following command to restart the sshd service:
systemctl restart sshd
- Use the Linux text editor to open the sshd configuration file.
- Perform 1 to open another window and check whether the login is successful.
- Return to the original window and run the following command to delete the backup configuration file:
rm /etc/ssh/sshd_config_bak
- Return to the original window, run the following command to roll back the modification of the configuration file, and contact Huawei technical support:
cp /etc/ssh/sshd_config_bak /etc/ssh/sshd_config systemctl restart sshd
