This is unreleased documentation for SUSE® Virtualization v1.6 (Dev).

Post-Installation Tasks

You can enhance the security and performance of your SUSE Virtualization cluster by performing the following procedures after installation is completed.

Disable the SSH password authentication

By default, SSH password authentication is enabled on SUSE Virtualization nodes during installation. This allows the administrator to access the nodes for post-installation diagnosis.

Once installation is completed, however, disabling SSH password authentication is recommended. You can run the following command, which uses kubectl to apply a CloudInit configuration, to disable SSH password authentication on all SUSE Virtualization nodes:

cat <<EOF | kubectl apply -f -
apiVersion: node.harvesterhci.io/v1beta1
kind: CloudInit
metadata:
  name: ssh-config
spec:
  matchSelector:
    harvesterhci.io/managed: "true" # apply to all nodes
  filename: 99-ssh-config
  contents: |
    stages:
      network:
      - name: "disable password login"
        commands:
        - sed -i -E 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
        - sed -i -E 's/^#?ChallengeResponseAuthentication .*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
        - sed -i -E 's/^#?UsePAM .*/UsePAM no/' /etc/ssh/sshd_config
        - systemctl restart sshd
  paused: false
EOF

The matchSelector field is used to select SUSE Virtualization nodes with specific labels.
All the affected nodes must be rebooted for the CloudInit configuration to take effect.

Once the configuration is applied, any attempts to access the SUSE Virtualization nodes with the SSH password are denied.

$ ssh -o PreferredAuthentications=password rancher@<node-ip>
rancher@<node-ip>: Permission denied (publickey,keyboard-interactive).