Post-Installation Steps
You can enhance the security and performance of your Harvester cluster by performing the following procedures after installation is completed.
Disable SSH Password
By default during installation, SSH password authentication is enabled on the Harvester nodes. This allows administrator to access the nodes for installation diagnosis.
Once installation is completed, however, disabling SSH password authentication is recommended. You can run the following command, which uses kubectl to apply a CloudInit configuration, to disable SSH password authentication on all Harvester nodes:
cat <<EOF | kubectl apply -f -
apiVersion: node.harvesterhci.io/v1beta1
kind: CloudInit
metadata:
name: ssh-config
spec:
matchSelector:
harvesterhci.io/managed: "true" # apply to all Harvester nodes
filename: 99-ssh-config
contents: |
stages:
network:
- name: "disable password login"
commands:
- sed -i -E 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
- sed -i -E 's/^#?ChallengeResponseAuthentication .*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
- sed -i -E 's/^#?UsePAM .*/UsePAM no/' /etc/ssh/sshd_config
- systemctl restart sshd
paused: false
EOF
note
- The
matchSelectorfield is used to select Harvester nodes with specific labels. - All the affected nodes must be rebooted for the
CloudInitconfiguration to take effect.
Once the configuration is applied, any attempts to access the Harvester nodes with the SSH password are denied.
$ ssh -o PreferredAuthentications=password rancher@<node-ip>
rancher@<node-ip>: Permission denied (publickey,keyboard-interactive).