HMC ssh_config file edit

getrue · December 28, 2017, 8:45am

Hi,

How can we edit ssh_config file on HMC server.

Best regards,

rbatte1 · December 28, 2017, 11:18am

It's probably a daft question in response, but why would you want to? IBM have it set and pretty much lock it down so you don't tamper with it. Any changes that you might make could well be lost when you update it.

What would you like to achieve?

Robin

getrue · December 28, 2017, 11:56am

I have to close using # same line because ssh daemon using weak algorithm such as hmac-sha1-96 and hmac-md5-96.

We have to close it according to penetration test.

agent.kgb · January 6, 2018, 5:56pm

short answer:

you cannot.

long answer:

hack the HMC and you can do it. If you cannot hack it, you shouldn't do it. Just upgrade it.

bakunin · January 8, 2018, 8:53am

Amen to that!

IBM made the HMC not a "system", but an "appliance", meaning: it shouldn't be looked at as just another computer with an OS but like something more akin to a toaster.

The reason is to avoid all sorts of mayhem an inexperienced/incompetent administrator could cause to this very central and essential system. We even had a complete discussion thread about this: [Opinion] A Public Answer To Rob McNelly.

While i still do not think this construct is well-thought i can appreciate the notion that incompetent administrators pose a risk for the operation of the HMC. So, if you are knowledgeable enough to hack your way into the HMC you are probably knowledgeable enough to avoid becoming a liability yourself. And if you are not, then it is probably for the best that you are being kept off the system.

bakunin

MichaelFelt · January 27, 2018, 2:53pm

Anyway, the official answer would be something like:

open a PMR and request a special code so that you can su to root (from memory something called the 'pesh')
with the root prompt - you can edit what ever you want.

I am sure part of the 'official' solution would be to discuss what level of HMC code you are running. Maybe this problem goes away with an HMC update!

As you never said (and noone asked) I'll just assume you have learned to update your HMC. If it is at version 8.6 or higher, and it is still using the low-grade encryption elements - open a PMR to IBM for a bug-fix. As it is clearly time for it to be gone!

(and because I am curious - what level of HMC - were - you at?

rbatte1 · January 29, 2018, 5:01am

I suppose you will need to be careful about the managed host firmware and the LPAR AIX versions in play. Make sure you can list them all to IBM. The HMC will be able to give you the fireware on each bit of managed hardware.

Do you have two HMCs in play here? Perhaps one is at a remote site.

Robin