If your clusters are operating on Nutanix Cluster Checks (NCC) version 4.6.4 or later, you’ve likely encountered a fresh alert: “The cluster is using password-based SSH access for the CVM xxx.xxx.xxx.xxx.”
As we move into 2024, password-based SSH access is set to be phased out. It will become necessary to transition to SSH access via Public Key, utilizing the Cluster Lockdown feature.
Wondering what Cluster Lockdown entails or how to activate and set it up? There’s no need to worry—here is how to do it!
Step 1: Executing the NCC Check
You can include it as a component of the comprehensive NCC health check by using the command below on any CVM to perform the check: ncc health_checks run_all
Alternatively, you can execute this specific check on its own with the following command: ncc health_checks system_checks check_cvm_ssh_security
Additionally, these checks can be initiated from the Prism Web Console’s Health page: navigate to Actions > Run Checks, select All Checks, and then click on Run.
Note: This check is exclusively for CVM and does not apply to Prism Central. By default, the system is configured to run this check automatically every 24 hours. An NCC alert will be triggered for any cluster that does not adhere to the recommended SSH security practices.
Examples:
Step 2: Create a RSA Public Key using PuTTYgen
If you’re using Windows, you can generate RSA keys using PuTTYgen, part of the PuTTY suite of tools. After launching PuTTYgen, select RSA, set the number of bits to 4096, and follow the on-screen instructions to generate and save your private key files.
Step 3: Enable Cluster Lockdown
To remove the INFO message from NCC, follow these steps:
- Click on the Gear icon, on the Settings page, select Cluster Lockdown from the Security section, then click + New Public Key
- Enter a Name for the new key, and copy the Public Key from Putty into the Key section, click Save
- De-select Enable Remote Login with Password.
Step 4: Configure Putty
- Open PuTTY.
- In the Category pane, go to Connection > SSH > Auth > Credentials.
- Under Private key file for authentication, click Browse and select the private key file you saved earlier (.ppk file).
- Go to Session and enter the hostname or IP address of your server.
- Click Open. If you set a passphrase for your private key, you’ll be prompted to enter it.
- You should now be able to log in without entering a user password, thanks to your SSH key.
Nutanix discourages SSH access to CVM appliances whenever possible. In the exceptional instances that require login to the CVM, key-based SSH access is preferred over password-based access. By adding an RSA/ECDSA public key, both admin and Nutanix users will be able to access CVMs and hosts using the SSH key pair.
Summary: In conclusion, the blog emphasizes the critical shift from password-based to key-based SSH access for Nutanix clusters, particularly for those running NCC version 4.6.4 or later. By detailing the steps to execute health checks, generate RSA keys (using tools like PuTTYgen for Windows users), enable Cluster Lockdown, and configure SSH access with PuTTY, it guides administrators through enhancing their security posture ahead of the 2024 phase-out of password SSH access. Nutanix advises minimizing SSH access to CVM appliances, recommending key-based access as a more secure alternative when necessary, and ensuring administrative and user access to CVMs and hosts remain secure and compliant with best practices.
Is this something you are interested in? Did I miss something?
Feel free to leave a comment and let me know what you think!
